Skip to content

Entropy Backdoor in text-qrcode

High severity GitHub Reviewed Published Sep 1, 2020 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm text-qrcode (npm)

Affected versions

>= 0.0.0

Patched versions

None

Description

All versions of text-qrcode contain malicious code that overwrites the randomBytes method for the crypto module with a function that generates weak entropy. Instead of generating 32 bytes, the infected randomBytes will generate 3 bytes of entropy and hash them, resulting in a 32 byte value being returned, but one that is easily guessable.

Recommendation

Uninstall text-qrcode immediately. If the module was used to generate entropy that is load bearing, all such instances of generated entropy must be replaced. This includes things like bitcoin wallets, private keys, encrypted messages, etc.

References

Reviewed Aug 31, 2020
Published to the GitHub Advisory Database Sep 1, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

Weaknesses

Embedded Malicious Code

The product contains code that appears to be malicious in nature. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-h5vj-f7r9-w564

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.