F-2026-0012·weak-randomness

Insecure randomness in session ID generation

Fixedpentesttypescriptbackend
TL;DR

Session IDs were generated from a non-cryptographically-secure random source, reducing entropy and creating a (small but non-zero) prediction surface.

Severity
LOW
Impact
LOW
Likelihood
MEDIUM
Method
MManual review
CAT.
Complexity
MEDIUM
Exploitability
LOW
02Section · Description

Description

The session ID generator used a non-CSPRNG source (e.g., Math.random() or an equivalent). While the predictability window is narrow, session identifiers should always be generated from a CSPRNG to avoid even theoretical guess attacks.

03Section · Impact

Impact

Low: session IDs are still hard to guess in practice, but the cryptographic posture is weaker than it should be for an identifier used in authorization decisions.

04Section · Recommendation

Recommendation

Switch to a CSPRNG (crypto.randomBytes, crypto.randomUUID) for session ID generation. Audit other identifier-generation sites for the same pattern.

Fair Casino: Fixed. Zealynx: Verified.

Status
Fixed
ZEALYNX SECURITY · published 2026-01-27
F-2026-0012