An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWg1dmotZjdyOS13NTY0
Entropy Backdoor in text-qrcode
All versions of
text-qrcode contain malicious code that overwrites the
randomBytes method for the
crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.
text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances of generated entropy must be replaced. This includes things like bitcoin wallets, private keys, encrypted messages, etc.
Source: GitHub Advisory Database
Published: about 3 years ago
Updated: 9 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
No known fixed version