Insecure Randomness: Affecting crypto-browserify package, versions <2.1.11

[danieljoppi]

crypto-browserify is implementation of crypto for the browser.

Affected versions of the package are vulnerable to Insecure Randomness due to using the cryptographically insecure Math.random(). This function can produce predictable values and should not be used in security-sensitive context.

You can read more about node's insecure Math.random() in Mike Malone's post

[hakanson]

I also saw this when running snyk test on a project.

$ snyk test
✗ High severity vulnerability found on crypto-browserify@1.0.9
- desc: Insecure Randomness
- info: https://snyk.io/vuln/npm:crypto-browserify:20140722
- from: redacted@0.0.1 > alexa-sdk@1.0.24 > aws-sdk@2.85.0 > crypto-browserify@1.0.9
No direct dependency upgrade can address this issue.
Run `snyk wizard` to explore remediation options.

[jeskew]

Hi @danieljoppi and @hakanson,

The result you encountered is a false positive. The AWS SDK for JavaScript uses Node's crypto module (polyfilled with crypto-browserify in the browser SDK) to perform MD5 and SHA-256 hashing when signing requests and does not use it to directly perform any encryption, decryption, or random generation. The only time Math.random could be called is when UUIDs are generated for use as idempotency tokens in browsers that do no support WebCrypto's RandomSource.getRandomValues method.

Closing as a duplicate of #1602

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.