Use of predictable RNG for password generation in pkp/pkp-lib


Reported on

Jul 5th 2023


pkp-lib implements a password-generation function with the following line of code being integral to its functionality:

for (...) {
    $password .= mt_rand(1, 4) == 4 ? $numbers[mt_rand(0, strlen($numbers) - 1)] : $letters[mt_rand(0, strlen($letters) - 1)];

This relies upon mt_rand(low, high); to generate a secure value that nobody should be able to predict; mt_rand is considered unsafe and contains a disclosure in its documentation noting that Randomizer-based functions should be used in the event of unpredictability being at all important.

There have been several instances of mt_rand being exploited, with this blog post providing a decent outline of how an adversary can derive future mt_rand outcomes with little more than two previous values. Additionally, the function is seeded using mt_srand here, where the current time is used as the seed of the mersenne twister function - meaning that an attacker with knowledge of the time that the function was seeded (or can guess that time) is also able to predict all future outcomes of the function, and hence future outcomes of generatePassword($length).


Allowing attackers to predict passwords/tokens provides them with simple access to users' accounts (+1, +2) and access tokens, all of which would have catastrophic impact for affected victims.

We are processing your report and will contact the pkp/pkp-lib team within 24 hours. 5 months ago
We have contacted a member of the pkp/pkp-lib team and are waiting to hear back 5 months ago
Alec Smecher validated this vulnerability 5 months ago

Thanks for reporting; this is filed and fixed here:

Michael Rowley has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alec Smecher marked this as fixed in 3.3.0-16 with commit e5e7e5 5 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Sep 1st 2023
Michael Rowley
4 months ago


Hi Alec,

Great work on getting this fixed, would it be possible to know which CVE-ID has been reserved for this report?

Alec Smecher published this vulnerability 3 months ago
to join this conversation