Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-cxsz-utx3-subs
Vulnerability ID VCID-cxsz-utx3-subs
Aliases GHSA-vfgx-5q85-58q3
Summary openssl-encrypt has non-cryptographic PRNG used for steganography pixel selection ### Summary The `generate_pseudorandom_sequence()` function in `openssl_encrypt/plugins/steganography/core/utils.py` at **lines 89-91** uses Python's `random` module (Mersenne Twister) for steganographic pixel/sample selection. ### Affected Code ```python random.seed(seed) sequence = random.sample(range(max_value), min(length, max_value)) return sequence ``` Additionally, the steganography password is stored as a plain Python string (not `SecureBytes`) and only 8 bytes (64 bits) of the SHA-256 hash are used for the seed, reducing effective security to 64 bits. ### Impact The Mersenne Twister's state can be recovered from approximately 624 outputs. An attacker who knows or guesses the password can predict the PRNG sequence and determine exactly which pixels contain hidden data, potentially extracting the hidden data without the password. ### Recommended Fix - Use HMAC-DRBG or `secrets` module for cryptographically secure pixel selection - Use full 32-byte SHA-256 output as seed material - Store the password in `SecureBytes` instead of a plain string ### Fix Fixed in commit `09e96e0` on branch `releases/1.4.x` — replaced random.seed(hash(password)) with HMAC-SHA256 based CSPRNG (Fisher-Yates shuffle) and numpy Generator with HMAC-derived seeds across all steganography format modules.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-330 Use of Insufficiently Random Values
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vfgx-5q85-58q3
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/commit/09e96e090417d34d2f533f6810d3cd4f77810101
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/commit/09e96e090417d34d2f533f6810d3cd4f77810101
cvssv3.1_qr MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3
cvssv4 6.6 https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3
generic_textual MODERATE https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3
Reference id Reference type URL
https://github.com/jahlives/openssl_encrypt
https://github.com/jahlives/openssl_encrypt/commit/09e96e090417d34d2f533f6810d3cd4f77810101
https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3
GHSA-vfgx-5q85-58q3 https://github.com/advisories/GHSA-vfgx-5q85-58q3
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/commit/09e96e090417d34d2f533f6810d3cd4f77810101
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U Found at https://github.com/jahlives/openssl_encrypt/security/advisories/GHSA-vfgx-5q85-58q3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-12T07:50:28.043958+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-vfgx-5q85-58q3/GHSA-vfgx-5q85-58q3.json 38.6.0