Cryptographic Backdoor

Affecting generate-password package, versions <1.4.1

medium severity

Overview

generate-password is a relatively extensive library for generating random and unique passwords.

Affected versions of this package are vulnerable to Cryptographic Backdoor. It generates random values that are biased towards certain characters depending on the chosen character sets. This may result in guessable passwords.

Remediation

Upgrade generate-password to version 1.4.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CWE
CWE-310
Snyk ID
SNYK-JS-GENERATEPASSWORD-73498
Disclosed
14 Dec, 2018
Published
10 Jan, 2019