crypto-js

npm2 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting crypto-jspage 1 of 1

CVE-2020-36732MEDIUMCVSS 5.3EG 5.3✓ Fixed in 3.2.1
2023-06-12
vulnerable: 3.2.0
The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
CVE-2023-46233CRITICALCVSS 9.1EG 9.1✓ Fixed in 4.2.0
2023-10-25
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it…

Check whether crypto-js is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for crypto-js CVEs against the assets you own.

Start Free Scan →