CVE-2025-54883

Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the getSecureRandomInt function in security-kit versions prior to 3.5.0 (packaged in Vision-ui <= 1.4.0) contains a critical cryptographic weakness. Due to a silent 32-bit integer overflow in its internal masking logic, the function fails to produce a uniform distribution of random numbers when the requested range between min and max is larger than 2³². The root cause is the use of a 32-bit bitwise left-shift operation (<<) to generate a bitmask for the rejection sampling algorithm. This causes the mask to be incorrect for any range requiring 32 or more bits of entropy. This issue is fixed in version 1.5.0.

CVSS

No CVSS.

References

Link	Resource
https://github.com/DavidOsipov/Vision-ui/commit/347355859f05e98047efbd96fc0e61b9191324f1
https://github.com/DavidOsipov/Vision-ui/security/advisories/GHSA-c9xg-x7h3-mq2q

Configurations

No configuration.

History

06 Aug 2025, 20:23

Type	Values Removed	Values Added
Summary		(es) Vision UI es una colección de módulos empresariales sin dependencias para proyectos web modernos. En las versiones 1.4.0 y anteriores, la función getSecureRandomInt de las versiones del kit de seguridad anteriores a la 3.5.0 (incluidas en Vision-ui <= 1.4.0) presenta una vulnerabilidad criptográfica crítica. Debido a un desbordamiento silencioso de enteros de 32 bits en su lógica de enmascaramiento interna, la función no genera una distribución uniforme de números aleatorios cuando el rango solicitado entre min y max es mayor que 2³². La causa principal es el uso de una operación de desplazamiento a la izquierda bit a bit de 32 bits (<<) para generar una máscara de bits para el algoritmo de muestreo de rechazo. Esto provoca que la máscara sea incorrecta para cualquier rango que requiera 32 bits o más de entropía. Este problema se solucionó en la versión 1.5.0.

06 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-06 00:15

Updated : 2025-08-06 20:23

NVD link : CVE-2025-54883

Mitre link : CVE-2025-54883

CVE.ORG link : CVE-2025-54883

JSON object : View

Products Affected

No product.

CWE

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

{"id": "CVE-2025-54883", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-06T00:15:32.050", "references": [{"url": "https://github.com/DavidOsipov/Vision-ui/commit/347355859f05e98047efbd96fc0e61b9191324f1", "source": "security-advisories@github.com"}, {"url": "https://github.com/DavidOsipov/Vision-ui/security/advisories/GHSA-c9xg-x7h3-mq2q", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-338"}]}], "descriptions": [{"lang": "en", "value": "Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the getSecureRandomInt function in security-kit versions prior to 3.5.0 (packaged in Vision-ui <= 1.4.0) contains a critical cryptographic weakness. Due to a silent 32-bit integer overflow in its internal masking logic, the function fails to produce a uniform distribution of random numbers when the requested range between min and max is larger than 2\u00b3\u00b2. The root cause is the use of a 32-bit bitwise left-shift operation (<<) to generate a bitmask for the rejection sampling algorithm. This causes the mask to be incorrect for any range requiring 32 or more bits of entropy. This issue is fixed in version 1.5.0."}, {"lang": "es", "value": "Vision UI es una colecci\u00f3n de m\u00f3dulos empresariales sin dependencias para proyectos web modernos. En las versiones 1.4.0 y anteriores, la funci\u00f3n getSecureRandomInt de las versiones del kit de seguridad anteriores a la 3.5.0 (incluidas en Vision-ui <= 1.4.0) presenta una vulnerabilidad criptogr\u00e1fica cr\u00edtica. Debido a un desbordamiento silencioso de enteros de 32 bits en su l\u00f3gica de enmascaramiento interna, la funci\u00f3n no genera una distribuci\u00f3n uniforme de n\u00fameros aleatorios cuando el rango solicitado entre min y max es mayor que 2\u00b3\u00b2. La causa principal es el uso de una operaci\u00f3n de desplazamiento a la izquierda bit a bit de 32 bits (<<) para generar una m\u00e1scara de bits para el algoritmo de muestreo de rechazo. Esto provoca que la m\u00e1scara sea incorrecta para cualquier rango que requiera 32 bits o m\u00e1s de entrop\u00eda. Este problema se solucion\u00f3 en la versi\u00f3n 1.5.0."}], "lastModified": "2025-08-06T20:23:37.600", "sourceIdentifier": "security-advisories@github.com"}