SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-338 Use of Cryptographically Weak PRNG

Coverage: 25 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 25 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged use of a non-cryptographic PRNG where security-grade randomness is required (tokens, reset links, session IDs, API keys, nonces).

Why it matters

Weak PRNGs can be predicted or replayed.

Safer examples

1) Use a cryptographically secure RNG (Node + Python)

import { randomBytes } from "node:crypto";
const token = randomBytes(32).toString("hex");
import secrets
token = secrets.token_urlsafe(32)

2) Don't use Math.random() / random() for secrets

Those are fine for UI effects and simulations, not auth tokens.

3) Keep entropy sufficient

Use at least 128 bits of entropy for security tokens (often 16+ bytes).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.