Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-330 (使用不充分的随机数) — Vulnerability Class 112

112 vulnerabilities classified as CWE-330 (使用不充分的随机数). AI Chinese analysis included.

CWE-330 represents a critical weakness where software relies on predictable or insufficiently random values within security-sensitive contexts, such as session token generation or cryptographic key creation. Attackers typically exploit this flaw by analyzing patterns in the generated values to predict future outputs, thereby bypassing authentication mechanisms or hijacking active user sessions. This vulnerability often stems from the misuse of standard pseudo-random number generators that lack cryptographic security properties. To mitigate this risk, developers must employ cryptographically secure pseudo-random number generators (CSPRNGs) that are specifically designed to resist prediction even if previous outputs are known. Additionally, ensuring proper seeding with high-entropy sources and avoiding custom randomization algorithms are essential practices for maintaining the integrity of security-dependent operations.

MITRE CWE Description
The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.
Common Consequences (3)
Confidentiality, OtherOther
When a protection mechanism relies on random values to restrict access to a sensitive resource, such as a session ID or a seed for generating a cryptographic key, then the resource being protected could be accessed by guessing the ID or key.
Access Control, OtherBypass Protection Mechanism, Other
If product relies on unique, unguessable IDs to identify a resource, an attacker might be able to guess an ID for a resource that is owned by another user. The attacker could then read the resource, or pre-create a resource with the same ID to prevent the legitimate program from properly sending the…
Access ControlBypass Protection Mechanism, Gain Privileges or Assume Identity
When an authorization or authentication mechanism relies on random values to restrict access to restricted functionality, such as a session ID or a seed for generating a cryptographic key, then an attacker may access the restricted functionality by guessing the ID or key.
Mitigations (3)
Architecture and DesignUse a well-vetted algorithm that is currently considered to be strong by experts in the field, and select well-tested implementations with adequate length seeds. In general, if a pseudo-random number generator is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts. Pseudo-random number generators can produce…
ImplementationConsider a PRNG that re-seeds itself as needed from high quality pseudo-random output sources, such as hardware devices.
Architecture and Design, RequirementsUse products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems. Consult FIPS 140-2 Annex C ("Approved Random Number Generators").
Examples (2)
This code attempts to generate a unique random identifier for a user's session.
function generateSessionID($userID){ srand($userID); return rand(); }
Bad · PHP
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.
String GenerateReceiptURL(String baseUrl) { Random ranGen = new Random(); ranGen.setSeed((new Date()).getTime()); return(baseUrl + ranGen.nextInt(400000000) + ".html"); }
Bad · Java
CVE IDTitleCVSSSeverityPublished
CVE-2025-43866 Vantage6 Server JWT secret not cryptographically secure — vantage6 6.5AIMediumAI2025-06-12
CVE-2025-49198 Poor quality of randomness in authorization tokens — SICK Media Server 3.1 Low2025-06-12
CVE-2025-4607 PSW Front-end Login & Registration <= 1.12 - Insufficiently Random Values to Unauthenticated Account Takeover/Privilege Escalation via customer_registration Function — PSW Front-end Login & Registration 9.8 Critical2025-05-31
CVE-2025-5136 Tmall Demo Payment Identifier pay random values — Demo 3.7 Low2025-05-24
CVE-2025-1953 vLLM AIBrix Prefix Caching hash.go random values — AIBrix 2.6 Low2025-03-04
CVE-2024-10604 Identifiable Header Values In Fuchsia Leading To Tracking of The User — Fuchsia 7.5 -2025-01-30
CVE-2025-22150 Undici Uses Insufficiently Random Values — undici 6.8 Medium2025-01-21
CVE-2024-12432 WPC Shop as a Customer for WooCommerce <= 1.2.8 - Authentication Bypass Due to Insufficiently Unique Key — WPC Shop as a Customer for WooCommerce 8.1 High2024-12-18
CVE-2024-52615 Avahi: avahi wide-area dns uses constant source port 5.3 Medium2024-11-21
CVE-2024-20331 Cisco Adaptive Security Appliance and Firepower Threat Defense Software VPN Authentication DoS Vulnerability — Cisco Adaptive Security Appliance (ASA) Software 6.8 Medium2024-10-23
CVE-2024-47188 Suricata http/byte-ranges: missing hashtable random seed leads to potential DoS — suricata 7.5 High2024-10-16
CVE-2024-47187 Suricata datasets: missing hashtable random seed leads to potential DoS — suricata 7.5 High2024-10-16
CVE-2024-6348 Predictable seed generation after ECU reset — Altima 6.1AIMediumAI2024-08-19
CVE-2024-42475 OAuth library for nim allows insecure generation of state values by generateState - entropy too low and uses regular PRNG instead of CSPRNG — oauth 6.5 Medium2024-08-15
CVE-2024-42165 Arbitrary User Activation — FIWARE Keyrock 6.3 Medium2024-08-12
CVE-2024-7659 projectsend Password Reset Token functions.php generate_random_string random values — projectsend 3.7 Low2024-08-11
CVE-2024-21460 Use of Insufficiently Random Values in Core — Snapdragon 7.1 High2024-07-01
CVE-2024-25943 Dell iDRAC9 安全漏洞 — Integrated Dell Remote Access Controller 9 7.6 High2024-06-29
CVE-2024-5868 WooCommerce - Social Login <= 2.6.2 - Email Verification due to Insufficient Randomness — WooCommerce - Social Login 6.5 Medium2024-06-15
CVE-2024-35292 多款Siemens产品 安全特征问题漏洞 — SIMATIC S7-200 SMART CPU CR40 8.2 High2024-06-11
CVE-2024-5149 BuddyForms <= 2.8.9 - Email Verification Bypass due to Insufficient Randomness — Post Form – Registration Form – Profile Form for User Profiles – Frontend Content Forms for User Submissions (UGC) 6.5 Medium2024-06-05
CVE-2024-36389 MileSight DeviceHub - CWE-330 Use of Insufficiently Random Values — DeviceHub 9.8 Critical2024-06-02
CVE-2024-4185 Customer Email Verification for WooCommerce <= 2.7.4 - Email Verification and Authentication Bypass due to Insufficient Randomness — Customer Email Verification for WooCommerce 8.1 High2024-04-30
CVE-2023-6799 WP Reset <= 2.0 - Sensitive Information Exposure due to Insufficient Randomness — WP Reset 5.9 Medium2024-04-09
CVE-2024-28013 NEC Corporation Aterm 安全漏洞 — WG1800HP4 8.1AIHighAI2024-03-28
CVE-2024-21495 caddy-security 安全漏洞 — github.com/greenpau/caddy-security 6.5 Medium2024-02-17
CVE-2024-0761 File Manager <= 7.2.1 - Sensitive Information Exposure via Backup Filenames — File Manager 8.1 High2024-02-05
CVE-2023-46740 Insecure random string generator used for sensitive data — cubefs 6.5 Medium2024-01-03
CVE-2023-4462 Poly VVX 601 Web Configuration Application random values — Trio 8300 3.7 Low2023-12-29
CVE-2023-6376 Henschen & Associates court document management software cache uses predictable file names — court document management software 5.3 Medium2023-11-30

Vulnerabilities classified as CWE-330 (使用不充分的随机数) represent 112 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.