Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-330 (使用不充分的随机数) — Vulnerability Class 112

112 vulnerabilities classified as CWE-330 (使用不充分的随机数). AI Chinese analysis included.

CWE-330 represents a critical weakness where software relies on predictable or insufficiently random values within security-sensitive contexts, such as session token generation or cryptographic key creation. Attackers typically exploit this flaw by analyzing patterns in the generated values to predict future outputs, thereby bypassing authentication mechanisms or hijacking active user sessions. This vulnerability often stems from the misuse of standard pseudo-random number generators that lack cryptographic security properties. To mitigate this risk, developers must employ cryptographically secure pseudo-random number generators (CSPRNGs) that are specifically designed to resist prediction even if previous outputs are known. Additionally, ensuring proper seeding with high-entropy sources and avoiding custom randomization algorithms are essential practices for maintaining the integrity of security-dependent operations.

MITRE CWE Description
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Common Consequences (3)
Confidentiality, OtherOther
When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
Access Control, OtherBypass Protection Mechanism, Other
If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the…
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.
Mitigations (3)
Architecture and DesignUse a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce…
ImplementationConsider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Examples (2)
This code attempts to generate a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2026-7847 chatchat-space Langchain-Chatchat Uploaded File openai_routes.py _get_file_id random values — Langchain-Chatchat 2.6 Low2026-05-05
CVE-2026-40975 VMware Spring Boot 安全特征问题漏洞 — Spring Boot 4.8 Medium2026-04-27
CVE-2026-40496 FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force — freescout 8.2AIHighAI2026-04-21
CVE-2026-40306 DNN has same HostGUID for all new installs — Dnn.Platform 5.4AIMediumAI2026-04-17
CVE-2026-33710 Chamilo LMS has Weak REST API Key Generation (Predictable) — chamilo-lms 7.5 High2026-04-10
CVE-2026-34511 OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter — OpenClaw 5.3 Medium2026-04-03
CVE-2025-15603 open-webui JWT Key start_windows.bat random values — open-webui 3.7 Low2026-03-09
CVE-2026-25072 XikeStor SKS8310-8X Predictable Session Identifiers — XikeStor SKS8310-8X 9.1 -2026-03-07
CVE-2026-20101 Cisco Secure Firewall Adaptive Security Appliance和Cisco Secure FTD Software 安全特征问题漏洞 — Cisco Secure Firewall Adaptive Security Appliance (ASA) Software 8.6 High2026-03-04
CVE-2026-27755 SODOLA SL902-SWTGW124AS <= 200.1.20 Predictable Session ID — SODOLA SL902-SWTGW124AS 9.8 Critical2026-02-27
CVE-2026-23999 Fleet: Device lock PIN can be predicted if lock time is known — fleet 5.7AIMediumAI2026-02-26
CVE-2026-27637 FreeScout's Predictable Authentication Token Enables Account Takeover — freescout 9.8 Critical2026-02-25
CVE-2024-48928 Piwigo's secret key can be brute forced — Piwigo 7.5 -2026-02-24
CVE-2026-27515 Binardat 10G08-0800GSM Network Switch Predictable Session Identifiers — 10G08-0800GSM Network Switch 9.1 Critical2026-02-24
CVE-2026-2966 Cesanta Mongoose DNS Transaction ID dns.c mg_sendnsreq random values — Mongoose 3.7 Low2026-02-23
CVE-2025-15574 Insecure Credential Generation for Solax Power Pocket WiFi models MQTT Cloud Connection — Pocket WiFi 3.0 9.8AICriticalAI2026-02-12
CVE-2025-64097 NervesHub has Insufficient Token Entropy that Allows Authentication Bypass via Brute Force — nerves_hub_web 8.1AIHighAI2026-01-22
CVE-2025-68704 Jervis has a Weak Random for Timing Attack Mitigation — jervis 7.5AIHighAI2026-01-13
CVE-2025-11723 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 - Unauthenticated Sensitive Information Exposure — Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin 6.5 Medium2026-01-06
CVE-2025-11707 Login Lockdown & Protection <= 2.14 - IP Block Bypass — Login Lockdown & Protection 5.3 Medium2025-12-13
CVE-2025-13955 Predictable Default Wi-Fi Password in EZCast Pro II Dongle — EZCast Pro II 8.1AIHighAI2025-12-10
CVE-2025-66511 Nextcloud Calendar app used predictable proposal participant tokens — security-advisories 4.8 Medium2025-12-05
CVE-2025-13353 gokey allows secret recovery from a seed file without the master password — gokey 9.1AICriticalAI2025-12-02
CVE-2025-59371 ASUS Router 安全漏洞 — Router 8.8AIHighAI2025-11-25
CVE-2025-13470 RNP 0.18.0 Vulnerable PKESK session keys — RNP 7.5 High2025-11-21
CVE-2025-12787 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation — Hydra Booking — Appointment Scheduling & Booking Calendar 5.3 Medium2025-11-11
CVE-2025-6515 Reuse of session IDs in oatpp-mcp leads to session hijacking and prompt hijacking by remote attackers — oatpp-mcp 6.8 Medium2025-10-20
CVE-2025-10745 Banhammer – Monitor Site Traffic, Block Bad Users and Bots <= 3.4.8 - Unauthenticated Protection Mechanism Bypass — Banhammer – Monitor Site Traffic, Block Bad Users and Bots 5.3 Medium2025-09-26
CVE-2025-10671 youth-is-as-pale-as-poetry e-learning JWT Token JwtUtils.java encryptSecret random values — e-learning 3.7 Low2025-09-18
CVE-2025-7783 Usage of unsafe random function in form-data for choosing boundary 8.2 -2025-07-18

Vulnerabilities classified as CWE-330 (使用不充分的随机数) represent 112 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.