{"api_version":"1","generated_at":"2026-04-22T19:18:55+00:00","cve":"CVE-2022-35255","urls":{"html":"https://cve.report/CVE-2022-35255","api":"https://cve.report/api/cve/CVE-2022-35255.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-35255","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-35255"},"summary":{"title":"CVE-2022-35255","description":"A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2022-12-05 22:15:00","updated_at":"2023-03-01 15:03:00"},"problem_types":["CWE-338"],"metrics":[],"references":[{"url":"https://hackerone.com/reports/1690000","name":"https://hackerone.com/reports/1690000","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20230113-0002/","name":"https://security.netapp.com/advisory/ntap-20230113-0002/","refsource":"CONFIRM","tags":[],"title":"CVE-2022-35255 Node.js Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.debian.org/security/2023/dsa-5326","name":"DSA-5326","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5326-1 nodejs","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf","name":"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf","refsource":"CONFIRM","tags":[],"title":"","mime":"application/pdf","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-35255","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-35255","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"11.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"lts","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"15.14.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"16.12.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"nodejs","cpe5":"node.js","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"-","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"siemens","cpe5":"sinec_ins","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"siemens","cpe5":"sinec_ins","cpe6":"1.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"siemens","cpe5":"sinec_ins","cpe6":"1.0","cpe7":"sp1","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"35255","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"siemens","cpe5":"sinec_ins","cpe6":"1.0","cpe7":"sp2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-35255","qid":"160143","title":"Oracle Enterprise Linux Security Update for nodejs (ELSA-2022-6963)"},{"cve":"CVE-2022-35255","qid":"160144","title":"Oracle Enterprise Linux Security Update for nodejs:16 (ELSA-2022-6964)"},{"cve":"CVE-2022-35255","qid":"160211","title":"Oracle Enterprise Linux Security Update for nodejs:18 (ELSA-2022-7821)"},{"cve":"CVE-2022-35255","qid":"181502","title":"Debian Security Update for nodejs (DSA 5326-1)"},{"cve":"CVE-2022-35255","qid":"183889","title":"Debian Security Update for nodejs (CVE-2022-35255)"},{"cve":"CVE-2022-35255","qid":"240731","title":"Red Hat Update for nodejs:16 (RHSA-2022:6964)"},{"cve":"CVE-2022-35255","qid":"240732","title":"Red Hat Update for nodejs (RHSA-2022:6963)"},{"cve":"CVE-2022-35255","qid":"240857","title":"Red Hat Update for nodejs:18 (RHSA-2022:7821)"},{"cve":"CVE-2022-35255","qid":"283356","title":"Fedora Security Update for nodejs (FEDORA-2022-de515f765f)"},{"cve":"CVE-2022-35255","qid":"283357","title":"Fedora Security Update for nodejs (FEDORA-2022-52dec6351a)"},{"cve":"CVE-2022-35255","qid":"283432","title":"Fedora Security Update for nodejs (FEDORA-2022-1667f7b60a)"},{"cve":"CVE-2022-35255","qid":"296098","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 52.132.2 Missing (CPUOCT2022)"},{"cve":"CVE-2022-35255","qid":"355273","title":"Amazon Linux Security Advisory for nodejs : ALAS2023-2023-084"},{"cve":"CVE-2022-35255","qid":"502514","title":"Alpine Linux Security Update for nodejs-current"},{"cve":"CVE-2022-35255","qid":"502531","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2022-35255","qid":"504211","title":"Alpine Linux Security Update for nodejs"},{"cve":"CVE-2022-35255","qid":"753199","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2022:3656-1)"},{"cve":"CVE-2022-35255","qid":"753404","title":"SUSE Enterprise Linux Security Update for nodejs16 (SUSE-SU-2022:3615-1)"},{"cve":"CVE-2022-35255","qid":"753698","title":"SUSE Enterprise Linux Security Update for nodejs18 (SUSE-SU-2023:0419-1)"},{"cve":"CVE-2022-35255","qid":"940692","title":"AlmaLinux Security Update for nodejs (ALSA-2022:6963)"},{"cve":"CVE-2022-35255","qid":"940721","title":"AlmaLinux Security Update for nodejs:16 (ALSA-2022:6964)"},{"cve":"CVE-2022-35255","qid":"940740","title":"AlmaLinux Security Update for nodejs:18 (ALSA-2022:7821)"},{"cve":"CVE-2022-35255","qid":"960403","title":"Rocky Linux Security Update for nodejs:16 (RLSA-2022:6964)"},{"cve":"CVE-2022-35255","qid":"960479","title":"Rocky Linux Security Update for nodejs:18 (RLSA-2022:7821)"},{"cve":"CVE-2022-35255","qid":"960543","title":"Rocky Linux Security Update for nodejs (RLSA-2022:6963)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-35255","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/nodejs/node","version":{"version_data":[{"version_value":"Fixed in 16.17.1+,18.9.1+"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-338)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/1690000","url":"https://hackerone.com/reports/1690000"},{"refsource":"CONFIRM","name":"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20230113-0002/","url":"https://security.netapp.com/advisory/ntap-20230113-0002/"},{"refsource":"DEBIAN","name":"DSA-5326","url":"https://www.debian.org/security/2023/dsa-5326"}]},"description":{"description_data":[{"lang":"eng","value":"A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material."}]}},"nvd":{"publishedDate":"2022-12-05 22:15:00","lastModifiedDate":"2023-03-01 15:03:00","problem_types":["CWE-338"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"16.0.0","versionEndIncluding":"16.12.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*","versionStartIncluding":"16.13.0","versionEndExcluding":"16.17.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"18.0.0","versionEndExcluding":"18.9.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*","versionStartIncluding":"15.0.0","versionEndIncluding":"15.14.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}