SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-323 Reusing a Nonce or IV

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged nonce/IV reuse across encryptions. Many modern crypto schemes require a unique nonce/IV per message; reusing it can break confidentiality (and sometimes integrity).

Why it matters

Nonce or IV reuse can break encryption guarantees.

Safer examples

1) Use libraries that manage nonces/IVs safely

Prefer high-level APIs that generate nonces and return them with ciphertext.

2) Prefer AEAD modes

Use AES‑GCM / ChaCha20‑Poly1305 and ensure nonces are unique per key.

3) If you must manage nonces yourself, enforce uniqueness

Use a counter-based nonce or random nonces with collision resistance, and never repeat for the same key.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.