Generation of Weak Initialization Vector (IV)
| Property | |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1204: Generation of Weak Initialization Vector (IV) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description#
Using ‘createCipher’ or ‘createDecipher’ in Node.js is insecure because these functions always use the same initialization vector (IV), making encrypted data predictable and vulnerable to attacks. Instead, use ‘createCipheriv’ or ‘createDecipheriv’ to provide a unique IV for each operation.
Impact#
If exploited, attackers can decrypt or tamper with sensitive data, especially if the same key is reused. This breaks both data confidentiality and integrity, potentially exposing user information or allowing unauthorized data manipulation.