Skip to content

[Security] Insecure Random Number Generation for Secrets and Keys #1655

New issue
New issue
Open
Bug
Open
[Security] Insecure Random Number Generation for Secrets and Keys#1655
Bug
Assignees
Kbayero
@osmontero

Description

@osmontero
osmontero
opened on Jan 26, 2026

The installer currently uses math/rand for generating security-sensitive data, which is a significant security risk.

Identified Problems:

  • Insecure Randomness: In utils/secret.go, math/rand is used to generate passwords and internal keys. math/rand is a deterministic pseudo-random number generator and is not suitable for cryptographic or security purposes.
  • Predictability: Secrets generated this way can potentially be predicted if the seed is known or guessed.

Affected Code:

  • installer/utils/secret.go: GenerateSecret function.
  • installer/config/config.go: Usage of utils.GenerateSecret for default passwords and internal keys.

Recommended Actions:

  • Replace math/rand with crypto/rand for all secret and key generation.
  • Ensure proper error handling when reading from crypto/rand.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

UTMStack OSS

Status

🔖 Defined

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions