Math.random() Is Not Random Enough. I Found It Building API Keys in a 44K-Star Repo.
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Critical security flaw in popular open-source repo with actionable fix.
Cal.com's 44K-star open-source scheduling platform used Math.random() to generate API keys, but V8's xorshift128+ PRNG is deterministic — tools like v8_rand_buster recover internal state from 3–4 consecutive outputs, allowing attackers to predict future keys. The article recommends crypto.randomBytes or similar CSPRNG and an ESLint rule (eslint-plugin-node-s) to catch this insecure pattern.
- Replace Math.random() with crypto.randomBytes or crypto.getRandomValues for any security-sensitive token generation.
For a solutions architect, this highlights a common security pitfall in open-source code that can compromise API key generation, emphasizing the need for cryptographic randomness in token generation and automated linting to enforce secure practices.