Insecure UUID

An Insecure UUID vulnerability arises when UUIDs (Universally Unique Identifiers) are used as a source of randomness, but non-random versions are implemented. Only UUID version 4 is designed to generate identifiers using strong random values, providing high entropy and uniqueness. Other versions (e.g., version 1, which incorporates timestamps and MAC addresses) introduce predictable patterns that can be exploited by adversaries. This may lead to vulnerabilities such as predictable token generation, session fixation, user enumeration, or unauthorised access to protected resources.

Remediation

Always generate UUIDs using version 4 (random-based) to ensure sufficient entropy and avoid predictability.
Do not rely on UUIDs alone as a source of randomness for security-sensitive operations (e.g., session tokens, password reset links).
Use cryptographically secure random number generators (CSPRNGs) for token and key generation.
Enforce proper length and entropy requirements when using UUIDs in security-critical contexts.

Metadata

Severity: low
Slug: insecure-uuid

CWEs

337: Predictable Seed in Pseudo-Random Number Generator (PRNG)
338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
331: Insufficient Entropy

OWASP

A02:2021: Cryptographic Failures
A07:2021: Identification and Authentication Failures

Available Labs

Open Typescript labs in SecDim Play for this vulnerability.

easy

UUID.ts

TypeScript Easy Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.