CVE-2015-8851
Information Exposure vulnerability in node-uuid (npm)
What is CVE-2015-8851 About?
This Information Exposure vulnerability in `node-uuid` prior to version 1.4.4 causes it to consistently use `Math.random` as an entropy source instead of a cryptographically secure source. This results in guessable UUIDs, which can lead to predictability and potential information leakage or collisions. The vulnerability is easy to exploit as it relies on the library's inherent behavior.
Affected Software
Technical Details
The node-uuid library, in versions before 1.4.4, fails to adequately use a cryptographically strong random number generator when generating UUIDs. Specifically, when crypto.getRandomValues (or its equivalent) is unavailable or not prioritized, the library falls back to using Math.random(). Math.random() is designed for statistical randomness, not cryptographic security, meaning its output is predictable. This predictability makes the generated UUIDs guessable by an attacker, reducing their uniqueness and introducing the risk of collisions or allowing an attacker to predict future UUIDs. Such predictable identifiers can undermine security mechanisms that rely on UUIDs for uniqueness, session identification, or resource naming, leading to information exposure or certain types of bypasses.
What is the Impact of CVE-2015-8851?
Successful exploitation may allow attackers to guess or predict UUIDs, leading to information exposure, unauthorized access, or collisions that disrupt application logic.
What is the Exploitability of CVE-2015-8851?
Exploitation of this Information Exposure vulnerability is of low complexity as it involves observing the predictable nature of UUIDs generated by the affected node-uuid library. The attacker does not need authentication or special privileges. Remote or local access is dependent on how the UUIDs are exposed by the application; if UUIDs are used in public-facing identifiers (e.g., URLs, API keys), remote exploitation is straightforward. The vulnerability is a consequence of the library's internal entropy source selection, so no specific attack vector beyond simply receiving or generating UUIDs via the library is required. The primary risk factor is any system relying on the 'randomness' or unguessability of UUIDs generated by affected versions of node-uuid for security-sensitive operations, as an attacker can statistically infer or predict them.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2015-8851?
Available Upgrade Options
- node-uuid
- <1.4.4 → Upgrade to 1.4.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/broofa/node-uuid/issues/108
- https://nvd.nist.gov/vuln/detail/CVE-2015-8851
- http://www.openwall.com/lists/oss-security/2016/04/13/8
- https://nodesecurity.io/advisories/93
- https://github.com/broofa/node-uuid/issues/122
- http://www.openwall.com/lists/oss-security/2016/04/13/8
- https://osv.dev/vulnerability/GHSA-265q-28rp-chq5
- https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
- https://bugzilla.redhat.com/show_bug.cgi?id=1327056
- https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
What are Similar Vulnerabilities to CVE-2015-8851?
Similar Vulnerabilities: CVE-2020-15945 , CVE-2020-15946 , CVE-2020-15947 , CVE-2021-23363 , CVE-2021-23364
