Fluid Attacks Database

Description

This detector identifies hardcoded seed values used with Scala's Random.setSeed() method. Using hardcoded seeds makes random number generation predictable, which can compromise cryptographic security, session tokens, and other security-sensitive random values.

Weakness:

034 - Insecure generation of random numbers

Category: Probabilistic Techniques

Detection Strategy

• Reports vulnerability when Scala code imports Random utility classes (scala.util.Random, scala.util._, or scala.util.*)

• Identifies calls to the setSeed() method on Random objects

• Checks if the seed parameter passed to setSeed() is a hardcoded literal value rather than a dynamic/computed value

• Triggers when all conditions are met: Random import exists, setSeed method call found, and seed argument is hardcoded

Vulnerable code example

import scala.util.Random

class VulnerableExample {
  def example(): Unit = {
    val rng = new Random()
    rng.setSeed(12345L) // VULNERABLE: hardcoded seed makes random predictable
  }
}

✅ Secure code example

import scala.util.Random

class SecureExample {
  def example(): Unit = {
    val rng = new Random() // SAFE: no hardcoded seed, uses secure default initialization
  }
}

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.