CVE-2022-35255 - Weak Randomness in WebCrypto KeyGen in Node.js 18

Node.js is a popular platform for building web apps and servers, but even top projects are not immune to serious bugs. In mid-2022, security researchers discovered CVE-2022-35255, a vulnerability rooted in how Node.js handled random numbers with its WebCrypto API for key generation. This post breaks down what happened, why it's dangerous, and how developers and security teams can protect their systems.

What Is CVE-2022-35255?

Summary:  
A flaw existed in Node.js 18 because of changes to how random data was generated during cryptographic key creation (keygen) in the WebCrypto API. Specifically, the issue was in the function SecretKeyGenTraits::DoKeyGen() found in src/crypto/crypto_keygen.cc.

Why Is Randomness Important In Crypto?

Most cryptographic systems—like HTTPS, JWT tokens, or password hashing—rely on generating *truly unpredictable keys*. If someone can guess or influence those keys, they can break the whole system.

Generating those unpredictable values is called "entropy". Computers usually try extra hard to use a *cryptographically secure random number generator* (CSPRNG), which often collects randomness based on hardware events or special OS APIs.

The Core Problem

After a Node.js 18 code change, the EntropySource function—meant to provide secure random bytes—was used badly in two key ways:

1. It Does Not Check the Return Value

The code assumes EntropySource() always works, but real-world entropy functions sometimes fail. For example, on system boot, there may not be enough entropy available. In such cases, a CSPRNG may refuse to give data, but the code ignored any errors.

> If EntropySource() fails but the code keeps going, the key it spits out may be predictable, blank, or weak.

2. Random Data May Not Be Cryptographically Strong

EntropySource() may not always give you secure, unpredictable random bytes suitable for cryptography. For safety, all key generation must use a CSPRNG, not just "any random numbers." But the code accepted whatever was returned, even when that data wasn't secure for cryptography.

The vulnerable function is in C++ inside Node.js. Here is a simplified and annotated version

// BAD: No checking for failure, and weak random may get used!
int SecretKeyGenTraits::DoKeyGen(...) {
    uint8_t random[KEY_LENGTH];
    EntropySource(random, KEY_LENGTH); // <-- No error check!
    // ... rest of the keygen logic ...
}

What SHOULD happen

// GOOD: Checks return value and assures strong randomness
int SecretKeyGenTraits::DoKeyGen(...) {
    uint8_t random[KEY_LENGTH];
    int result = EntropySource(random, KEY_LENGTH);
    if (result != ) {
        // handle the failure securely!
        throw std::runtime_error("Failed to generate strong random data");
    }
    // ... rest of the keygen logic ...
}

Why Does This Matter?

If someone can predict the random numbers used for keys, they can possibly decrypt sensitive traffic, impersonate users, or forge tokens. Weak keys are the cryptographic equivalent of leaving your house unlocked.

Attackers with access to the system or even just enough information about its startup state could theoretically:

Exploit Details

This bug is *hard to exploit* directly in an ordinary Node.js deployment, but in special cases (like soon after reboot, inside containers, or on embedded hardware), the random data returned by EntropySource() can be *very predictable*—think of all zeros or repeated values.

Example in JavaScript

// User code is safe, but Node.js under the hood is not!
const { subtle } = require('crypto').webcrypto;
const key = await subtle.generateKey(
  { name: "AES-GCM", length: 256 },
  true,
  ["encrypt", "decrypt"]
);
// key may be WEAKEST if bug is present and system entropy is low

Node.js 18.x before v18.7.

Patched In:

Official References

- Node Security Release July 2022
- CVE-2022-35255 (NVD record)
- Node.js Issue Tracking (#44036)
- Commit Fixing the Bug

Do Not Generate Keys On Boot

Try to ensure your system has enough entropy before you generate keys—especially for cloud, containers, and IoT.

Final Thoughts

Randomness bugs might sound boring, but as this CVE shows, they're a hacker's dream. Developers should always make sure their crypto libraries are kept up-to-date and treat "random number generation" as a core security feature.

If in doubt—always use patched versions, never roll your own random code, and read CVE reports, even if you’re not a security pro.


*Written by [YourName], 2024.  
Exclusive explanation and code samples for this platform. Please do not re-use without attribution.*

Timeline

Published on: 12/05/2022 22:15:00 UTC
Last modified on: 12/08/2022 15:58:00 UTC