Skip to content

Insufficient Entropy in cryptiles

critical severity Published Sep 11, 2018 • Updated Sep 17, 2021

Package

npm cryptiles (npm)

Affected versions

< 4.1.2

Patched versions

4.1.2

Description

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.

References

CVE ID

CVE-2018-1000620

CVSS Score

9.8 Critical
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H