logo

Database

Insecure generation of random numbers In vantage6-server

Description

Vantage6 Server JWT secret not cryptographically secure

Impact

The JWT secret key in the vantage6 server is auto-generated unless defined by the user. The auto-generated key is a UUID1, which is not cryptographically secure as it is predictable to some extent

Patches

No

Workarounds

You may define JWT secret key in the server configuration file

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-438662. NVD-2025-438663. OSV-2025-438664. GHSA-m3mq-f375-5vgh5. GCVE-2025-43866

References

1. https://github.com/vantage6/vantage6/security/advisories/GHSA-m3mq-f375-5vgh2. https://github.com/vantage6/vantage6/commit/e39a262faf1cd4c554bf1b8e57eeea082da995c0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.