cvedb.io
CVE-2021-41117
HIGH · CVSS 8.7
EPSS exploitation probability: 0%
Published 2021-10-11T17:15:07.973 · Last modified 2026-06-17T04:07:54.300

Summary

keypair is a a RSA PEM key generator written in javascript. keypair implements a lot of cryptographic primitives on its own or by borrowing from other libraries where possible, including node-forge. An issue was discovered where this library was generating identical RSA keys used in SSH. This would mean that the library is generating identical P, Q (and thus N) values which, in practical terms, is impossible with RSA-2048 keys. Generating identical values, repeatedly, usually indicates an issue with poor random number generation, or, poor handling of CSPRNG output. Issue 1: Poor random number generation (`GHSL-2021-1012`). The library does not rely entirely on a platform provided CSPRNG, rather, it uses it's own counter-based CMAC approach. Where things go wrong is seeding the CMAC impleme

Affected products

keypair_project — keypair

Does this affect you?

Add your gear to cvedb and we'll alert you only when keypair_project ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.