Skip to main content

Use of Insufficiently Random Values


Severity High
Score 7.5/10

Summary is a realtime application framework that provides communication via websockets. Because 0.9.6 and earlier depends on `Math.random()` to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to servers, potentially obtaining sensitive information.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-330 - Use of Insufficiently Random Values

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

Advisory Timeline

  • Published