Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Affecting mozjs60-devel package, versions *


Severity

Recommended
0.0
medium
0
10

Based on CentOS security rating.

Threat Intelligence

EPSS
0.36% (28th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CENTOS8-MOZJS60DEVEL-9835626
  • published28 Apr 2025
  • disclosed26 Apr 2025

Introduced: 26 Apr 2025

CVE-2025-46653  (opens in a new tab)
CWE-338  (opens in a new tab)

How to fix?

There is no fixed version for Centos:8 mozjs60-devel.

NVD Description

Note: Versions mentioned in the description apply only to the upstream mozjs60-devel package and not the mozjs60-devel package as distributed by Centos. See How to fix? for Centos:8 relevant fixed versions and status.

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

CVSS Base Scores

version 3.1