What is GHSA-rq8g-5pc5-wrhr?

GHSA-rq8g-5pc5-wrhr is a security advisory published by GitHub Security Advisories with Critical severity. Insufficient Entropy in cryptiles

Which CVE IDs does GHSA-rq8g-5pc5-wrhr cover?

GHSA-rq8g-5pc5-wrhr covers the following CVE IDs: CVE-2018-1000620. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-rq8g-5pc5-wrhr?

GHSA-rq8g-5pc5-wrhr has a CVSS v3 base score of 9.8, published by GitHub Security Advisories.

Which products are affected by GHSA-rq8g-5pc5-wrhr?

GHSA-rq8g-5pc5-wrhr affects 2 products, including: npm/cryptiles:\u003e= 4.0.0, \u003c 4.1.2; npm/cryptiles:\u003e= 3.1.0, \u003c 3.1.3.

GHSA-rq8g-5pc5-wrhrCriticalCVSS 9.8

Insufficient Entropy in cryptiles

Vendor

GitHub Security Advisories

Published

September 11, 2018

Last Modified

June 8, 2026

🔗 CVE IDs covered (1)

CVE-2018-1000620 →

📋 Description

Versions of cryptiles prior to 4.1.2 are vulnerable to Insufficient Entropy. The randomDigits() method does not provide sufficient entropy and its generates digits that are not evenly distributed.

Recommendation

Upgrade to version 4.1.2. The package is deprecated and has been moved to @hapi/cryptiles and it is strongly recommended to use the maintained package.

🎯 Affected products2

npm/cryptiles:>= 4.0.0, < 4.1.2
npm/cryptiles:>= 3.1.0, < 3.1.3

🔗 References (10)

https://nvd.nist.gov/vuln/detail/CVE-2018-1000620
https://github.com/hapijs/cryptiles/issues/34
https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json
https://www.npmjs.com/advisories/720
https://www.npmjs.com/advisories/1464
https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
https://github.com/hapijs/cryptiles/issues/35
https://github.com/hapijs/cryptiles/commit/6bdcd0f6ee8ade96e7b30350bad39ee0c2ef0f9b
https://github.com/hapijs/cryptiles/commit/cb6bd642816e0cb8341d2b3896fd9e7c57e94f56
https://github.com/advisories/GHSA-rq8g-5pc5-wrhr