An Insecure UUID vulnerability arises when UUIDs (Universally Unique Identifiers) are used as a source of randomness, but non-random versions are implemented. Only UUID version 4 is designed to generate identifiers using strong random values, providing high entropy and uniqueness. Other versions (e.g., version 1, which incorporates timestamps and MAC addresses) introduce predictable patterns that can be exploited by adversaries. This may lead to vulnerabilities such as predictable token generation, session fixation, user enumeration, or unauthorised access to protected resources.
Remediation
Always generate UUIDs using version 4 (random-based) to ensure sufficient entropy and avoid predictability.
Do not rely on UUIDs alone as a source of randomness for security-sensitive operations (e.g., session tokens, password reset links).
Use cryptographically secure random number generators (CSPRNGs) for token and key generation.
Enforce proper length and entropy requirements when using UUIDs in security-critical contexts.
Metadata
Severity: low
Slug: insecure-uuid
CWEs
337: Predictable Seed in Pseudo-Random Number Generator (PRNG)
338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
331: Insufficient Entropy
OWASP
A02:2021: Cryptographic Failures
A07:2021: Identification and Authentication Failures
Available Labs
Select a language to explore available labs for this vulnerability.
Want to skill-up in secure coding and AppSec?
Try SecDim Wargames to learn how to find, hack
and fix security vulnerabilities inspired by real-world incidents.
Join our secure coding and AppSec community.
A discussion board to share and
discuss all aspects of secure
programming, AppSec, DevSecOps,
fuzzing, cloudsec, AIsec
code review, and more.
