CVE-2021-41117: 
JavaScript vulnerability analysis and mitigation

CVE-2021-41117 is a critical vulnerability discovered in the keypair library, an open-source SSH key generation library that allows users to create RSA keys for authentication purposes. The vulnerability was discovered in September 2021 and disclosed on October 11, 2021. It affected keypair versions up to and including 1.0.3, impacting the GitKraken git GUI client versions 7.6.x, 7.7.x, and 8.0.0 released between May 12, 2021, and September 27, 2021 (GitHub Advisory, Security Lab).

The vulnerability stems from a bug in the pseudo-random number generator used by the keypair library. The main flaw lies in incorrect encoding of output from a Lehmer LCG random number generator, resulting in approximately 97% of the bytes being converted to zeros due to a double String.fromCharCode implementation. The issue was particularly severe because the library failed to properly utilize the node's CSPRNG in NodeJS environments and instead relied on an insecure fallback path. The vulnerability received a CVSS score of 8.7 (High) according to GitHub's assessment, while the NVD rated it at 9.1 (Critical) (Hacker News, Security Lab).

The vulnerability resulted in the generation of weak RSA keys that were relatively easy to guess, potentially allowing attackers to decrypt confidential messages or gain unauthorized access to victims' accounts. The impact was so significant that GitHub, Microsoft Azure DevOps, GitLab, and Atlassian Bitbucket had to initiate mass revocations of SSH keys connected to accounts where the GitKraken client was used (Hacker News).

The vulnerability was patched in keypair version 1.0.4 and GitKraken version 8.0.1. Users were advised to review and remove all old GitKraken-generated SSH keys stored locally and generate new SSH keys using GitKraken 8.0.1 or later for each of their Git service providers. GitHub also implemented protections to prevent vulnerable versions of GitKraken from adding newly generated weak keys (Hacker News).