Your RSA-2048 keys break in 2030. Find every one of them before attackers do.
📦 npm

GHSA-p4cc-w597-6cpm

CRITICAL

Cryptographically weak PRNG in `utils.generateUUID`

Also known asCVE-2022-36045
Published
Aug 30, 2022
Updated
Nov 8, 2023
Affected
2 pkgs
Patched
2 / 2
Exploits
None indexed

EPSS Exploitation Probability

via FIRST.org ↗
1.0%probability of exploitation in next 30 days
Lower Risk59th percentile+0.30%
0.17%0.62%1.07%1.51%0.7%1.0%Dec 25Apr 26Jun 26

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected

Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.

nodebbnpm
259downloads / week

Description

In Brief

utils.generateUUID, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (Math.random()), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to.

Impact

This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the involvement of the victim, and as such, the remediation should be applied immediately (either via NodeBB upgrade or cherry-pick of the specific changeset. Patches have been provided for both active branches of NodeBB (v2.x and v1.19.x)—please see below.

If you are already on v2.0.0 or v1.19.7, you can upgrade with no ill effects. The new version contains only the patch for this vulnerability.

The impact of this vulnerability is slightly lessened by the requirement that the target's email address must be known, and user emails are protected values in NodeBB. However, since NodeBB can be configured to display email addresses if the admin so wishes, and as email addresses can often by derived from other sources and/or guessed, the impact of this vulnerability is still fairly high.

Patches

v2.x

The vulnerability has been patched in https://github.com/NodeBB/NodeBB/commit/e802fab87f94a13f397f04cfe6068f2f7ddf7888. You can cherry-pick this directly into your codebase.

v1.19.x

The vulnerability has been patched in 81e3c1ba488d03371a5ce8d0ebb5c5803026e0f9. You can cherry-pick this directly into your codebase.

Workarounds

There is no known workaround, but the patch sets listed above will fully patch the vulnerability.

References

For more information

If you have any questions or comments about this advisory:

Affected Packages

2 total 2 fixed
EcosystemPackageVulnerable rangeFix
📦npmnodebball versions1.19.8
📦npmnodebb2.0.0&&< 2.0.12.0.1

Detection & mitigation playbook

Open-source dependency

  1. Detect

    Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for nodebb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

  2. Fix

    Update nodebb to 1.19.8 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-p4cc-w597-6cpm is resolved across your whole dependency graph.

  3. Workarounds

    If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

  4. How O3 protects you

    O3 pinpoints whether GHSA-p4cc-w597-6cpm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-p4cc-w597-6cpm. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

### In Brief `utils.generateUUID`, a helper function available in essentially all versions of NodeBB (as far back as v1.0.1 and potentially earlier) used a cryptographically insecure Pseudo-random number generator (`Math.random()`), which meant that a specially crafted script combined with multiple invocations of the password reset functionality could enable an attacker to correctly calculate the reset code for an account they do not have access to. ### Impact This vulnerability impacts all installations of NodeBB. The vulnerability allows for an attacker to take over any account without the
O3 Security · Impact-Aware SCA

Is GHSA-p4cc-w597-6cpm in your dependencies?

O3 detects GHSA-p4cc-w597-6cpm across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works