SYM_JSTS_0157 - SymbioticSec/Symbiotic-Vulnerability-Database GitHub Wiki
Generation of Weak Initialization Vector (IV)
| Property | Value |
|---|---|
| Language |  |
| Severity |  |
| CWE | CWE-1204: Generation of Weak Initialization Vector (IV) |
| Confidence Level | High |
| Impact Level | Medium |
| Likelihood Level | High |
Description
Using 'createCipher' or 'createDecipher' in Node.js is insecure because these functions always use the same initialization vector (IV), making encrypted data predictable and vulnerable to attacks. Instead, use 'createCipheriv' or 'createDecipheriv' to provide a unique IV for each operation.
Impact
If exploited, attackers can decrypt or tamper with sensitive data, especially if the same key is reused. This breaks both data confidentiality and integrity, potentially exposing user information or allowing unauthorized data manipulation.