Skip to content

Generate message IDs with CSPRNG instead of Date.now+random#5

Merged
TeoSlayer merged 1 commit into
mainfrom
fix/wire-id-csprng
Jun 22, 2026
Merged

Generate message IDs with CSPRNG instead of Date.now+random#5
TeoSlayer merged 1 commit into
mainfrom
fix/wire-id-csprng

Conversation

@TeoSlayer

Copy link
Copy Markdown
Contributor

Vulnerability

newId() in plugin/src/wire.ts generated message IDs from Date.now() concatenated with Math.floor(Math.random() * 36**12). Both inputs are predictable:

  • Date.now() is observable/guessable to the millisecond.
  • Math.random() is not a CSPRNG — its output is predictable and can collide.

Message IDs are used to correlate request/response envelopes and to assemble multi-part (chunked) messages sharing the same id. Predictable or colliding IDs allow an attacker to guess in-flight IDs (enabling spoofed replies / chunk injection) and risk accidental collisions that cross-contaminate reassembly buffers.

Fix

Replace the ad-hoc generator with crypto.randomUUID() (Node Web Crypto-backed CSPRNG), which is unique and unpredictable. newId() keeps the same synchronous () => string signature, so all call sites are unaffected.

Verification

  • npm run build (tsc) — clean, no type errors.
  • npm test (vitest) — 230/230 pass, including the newId uniqueness test.

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@TeoSlayer TeoSlayer merged commit 0e4a0c7 into main Jun 22, 2026
4 checks passed
@matthew-pilot matthew-pilot deleted the fix/wire-id-csprng branch June 22, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants