GHSA-h5vj-f7r9-w564 – text-qrcode

Package

Manager: npm
Name: text-qrcode
Vulnerable Version: >=0.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: N/A pctlN/A

Details

Entropy Backdoor in text-qrcode All versions of `text-qrcode` contain malicious code that overwrites the `randomBytes` method for the `crypto` module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable. ## Recommendation Uninstall `text-qrcode` immediately. If the module was used to generate entropy that is load bearing, all such instances of generated entropy must be replaced. This includes things like bitcoin wallets, private keys, encrypted messages, etc.

Metadata

Created: 2020-09-01T21:22:35Z
Modified: 2021-10-01T13:30:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-h5vj-f7r9-w564/GHSA-h5vj-f7r9-w564.json
CWE IDs: ["CWE-506"]
Alternative ID: N/A
Finding: F448
Auto approve: 1