CVE-2020-36732: Medium severity Crypto-js Project Crypto-js vulnerability
Published Jun 12, 2023
·Updated
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
Affected Software
3 affected componentsFixes available
npm/crypto-js<3.2.1
3.2.1
Crypto-js Project Crypto-js<3.2.1
IBM Tivoli Netcool Impact<=7.1.0.0 - 7.1.0.37
Remediation
Patch Available
Event History
Jun 12, 2023
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Advisory Published
via GitHub·03:30 AM
Apr 1, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software
Frequently Asked Questions
1
What is CVE-2020-36732?
CVE-2020-36732 is a vulnerability in the crypto-js package for Node.js that generates predictable random numbers.
2
What is the severity of CVE-2020-36732?
The severity of CVE-2020-36732 is medium, with a CVSS score of 5.3.
3
How does CVE-2020-36732 affect software?
CVE-2020-36732 affects versions of the crypto-js package up to and excluding 3.2.1 for Node.js.
4
How can I fix CVE-2020-36732?
To fix CVE-2020-36732, update the crypto-js package to version 3.2.1 or higher.
5
What is CWE-330?
CWE-330 is a classification for vulnerabilities related to predictable random number generation.