CWE-329 Not Using a Random IV with CBC Mode
Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.
What this means
SiteShadow flagged CBC-mode encryption that does not use a fresh, random IV for each encryption. Reusing or fixing IVs makes ciphertext patterns predictable and can leak information.
Why it matters
Predictable IVs weaken confidentiality and enable pattern leakage.
- Identical plaintext blocks can produce predictable ciphertext patterns.
- In some schemes, IV misuse can enable broader cryptographic attacks.
Safer examples
1) Prefer modern authenticated encryption modes
Use AES‑GCM / ChaCha20‑Poly1305 via a vetted library instead of rolling CBC manually.
2) If using CBC, generate a random IV per encryption
Store/transmit the IV alongside the ciphertext (IV does not need to be secret, but must be unpredictable).
3) Never reuse IVs with the same key
Treat IV generation as part of the encryption API; avoid custom IV handling.
How SiteShadow detects it (high level)
- Flags crypto API usage where CBC mode is configured with static/predictable IVs.
- Detects IV values derived from constants, zeros, timestamps, or reused variables.
References
- CWE-329: https://cwe.mitre.org/data/definitions/329.html
---
← Back to Vulnerability Library
Catch this with SiteShadow Pro.
This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.