Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
When a non-cryptographic PRNG is used in a security context (such as generating session tokens or cryptographic keys), an attacker may be able to predict its output and compromise the security mechanism.
How to fix this vulnerability
Prevention strategies for Weak PRNG based on 4 Shoulder detection rules.
Use crypto/rand instead of math/rand for security-sensitive values
- import "math/rand" - - func generateToken() string { - token := make([]byte, 32) - rand.Read(token) - return hex.EncodeToString(token) + import "crypto/rand" + + func generateToken() (string, error) { + token := make([]byte, 32) + if _, err := rand.Read(token); err != nil { + return "", err + } + return hex.EncodeToString(token), nil }
Use crypto.randomBytes() or crypto.randomUUID() for security-sensitive random values
- const token = Math.random().toString(36).substring(2); + const crypto = require('crypto'); + const token = crypto.randomBytes(32).toString('hex');
Use the secrets module for tokens, passwords, and all security-sensitive randomness
- import random - - def generate_token(): - token = random.randint(100000, 999999) - return str(token) + import secrets + + def generate_token(): + return secrets.token_urlsafe(32)
Use the secrets module instead of random for security-sensitive operations
- import random - - def generate_token(): - chars = 'abcdef0123456789' - return ''.join(random.choice(chars) for _ in range(32)) + import secrets + + def generate_token(): + return secrets.token_hex(32)
Key Practices
- Use of Math
Find vulnerabilities in your code
Use Shoulder to scan your codebase for Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) patterns. 4 rules.
# Scan with Shoulder CLI npx @shoulderdev/cli trust --cwe=338 # Or scan entire project npx @shoulderdev/cli trust .
Detection Rules (4)
What to watch for in code reviews
These patterns indicate potential Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerabilities. Look for these during code reviews and security audits.
Scan your codebase for Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Shoulder CLI finds vulnerable patterns across your entire codebase.