CVE-2022-35255: 
npm vulnerability analysis and mitigation

CVE-2022-35255 is a high severity vulnerability affecting Node.js versions 15.0.0 through 15.14.0, 16.0.0 through 16.12.0, 16.13.0 prior to 16.17.1, and 18.0.0 prior to 18.9.1. The vulnerability was discovered in September 2022 and relates to weak randomness in WebCrypto keygen functionality (Node.js Blog).

The vulnerability exists due to improper handling of EntropySource() calls in SecretKeyGenTraits::DoKeyGen() within src/crypto/crypto_keygen.cc. The implementation does not check the return value of EntropySource(), incorrectly assuming it always succeeds. Additionally, the random data returned by EntropySource() may not be cryptographically strong and therefore not suitable as keying material (Debian Security).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information or addition/modification of data. The vulnerability has been assigned a CVSS score of 9.1 (CRITICAL) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NetApp Security).

Users should upgrade to Node.js versions 16.17.1 or 18.9.1 or later to address this vulnerability. Additionally, it is recommended to roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey() and re-evaluate the confidentiality of data encrypted with those keys (Node.js Blog).