Opublikowane
2025-12-17 12:00
The helper function CRM_Utils_String::createRandom() relies on a "cryptographically weak" random number generator.
A "weak" generator appears random but can sometimes be predicted. The significance depends on the specific use-cases which call this helper.
- For cryptography, CiviCRM does not use this helper. (It uses the more appropriate
random_bytes().) - A partial survey of
createRandom()use-cases has found that callers often have other mitigating circumstances. (No useful exploits are known.) - Never-the-less, this is a generic helper on an extensible platform. It could be used in insecure and unforeseen ways.
As a precaution, the helper will use a "stronger" random number generator.
(Note: An earlier revision of this advisory was inaccurately published under the heading "CIVI-SA-2026-08". It should be "CIVI-SA-2025-08".)
Security Risk
Less Critical
Vulnerability
Other
Affected Versions
CiviCRM v6.9.0 and earlier
Fixed Versions
CiviCRM v6.9.1, v6.4.2 (ESR), and later
Publication Date
Solutions
Any ONE of the following will mitigate the vulnerability:
- Upgrade to a fixed version of CiviCRM, or...
- Manually apply the patch from https://lab.civicrm.org/-/snippets/103, or...
- Manually edit
CRM/Utils/String.php. IncreateRandom(), changerand(1, $alphabetSize)torandom_int(1, $alphabetSize).
Credits
Tim Otten (CiviCRM), Eileen McNaughton (Wikimedia Foundation)
References
security/core!221
