SYM_GO_0042 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| OWASP | A02:2021 - Cryptographic Failures |
| Confidence Level | Medium |
| Impact Level | Medium |
| Likelihood Level | Medium |
Description
The code is using Go's math/rand package to generate random numbers, which is not secure for cryptographic purposes. Instead, crypto/rand should be used to ensure randomness that can't be easily predicted.
Impact
If attackers can predict random values (such as session tokens, API keys, or passwords), they could hijack accounts or gain unauthorized access to sensitive data. This weak randomness undermines the security of cryptographic operations and can lead to serious breaches.