Math.random() API Key Generation Found in 44K-Star Repo — He

Math.random() API Key Generation Found in 44K-Star Repo — Here's the Fix

A developer discovered that the 44K-star open-source project react-native-elements uses Math.random() to generate integration API keys, which is predictable and insecure. The article explains why Math.random() is a PRNG, not a CSPRNG, and provides the ESLint rule to catch it plus the one-line fix using crypto.randomBytes.

3 min readMay 31, 2026

Math.random() API Key Generation Found in 44K-Star Repo — Here's the Fix

The Bug: Math.random() Generating API Keys

A 44K-star open-source repository — react-native-elements — was found using Math.random() to generate integration API keys. This is a security vulnerability because Math.random() is a Pseudo-Random Number Generator (PRNG), not a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG).

Why Math.random() Is Not Secure

Math.random() in JavaScript uses an algorithm like XorShift128+ in V8. Once an attacker recovers the internal state by observing a few outputs, they can predict all future outputs. For API keys, which are used for authentication, this predictability means an attacker could forge valid keys.

The Attack: Recovering the Internal State

The article describes a class of attack: by collecting a sequence of Math.random() outputs, an attacker can reverse-engineer the PRNG state. Tools like v8-randomness-predictor exist to do this. With the state known, the attacker can generate the same "random" keys the application would produce.

The Fix: Use crypto.randomBytes

The one-line fix is to replace Math.random() with crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser). These are CSPRNGs that are seeded from system entropy and are not predictable.

Example of the vulnerable code:

function generateApiKey() {
  return Math.random().toString(36).substr(2, 16);
}

Fixed version:

const crypto = require(&#39;crypto&#39;);
function generateApiKey() {
  return crypto.randomBytes(16).toString(&#39;hex&#39;);
}

ESLint Rule to Catch This

To prevent this pattern, use the ESLint plugin eslint-plugin-security with rule detect-unsafe-random. Alternatively, a custom ESLint rule can flag any use of Math.random() in non-trivial contexts. The article provides an example rule that forbids Math.random() in functions that generate secrets.

Codebase Impact

React Native Elements is a UI library with 44K stars. The issue was found in a utility function generating integration API keys for third-party services. The fix was merged after the report.

Why This Matters

Many developers assume Math.random() is random enough for security. This case proves otherwise. The same pattern appears in countless projects: generating IDs, tokens, or keys with Math.random(). Each instance is a potential backdoor.

Next Steps for Developers

Audit your codebase for Math.random() usage, especially in functions that generate secrets, tokens, or IDs.
Install eslint-plugin-security and enable detect-unsafe-random.
Replace Math.random() with crypto.randomBytes() (Node) or crypto.getRandomValues() (browser) for any security-sensitive randomness.
For UUIDs, use crypto.randomUUID() (Node 14.17+).
Consider using a dedicated library like uuid with crypto backend.

Conclusion

Math.random() is not secure for secrets. The react-native-elements case is a wake-up call. The fix is trivial; the risk is not. Run the audit today.

Editor's Take

I've seen Math.random() used in production code for session tokens and password resets more times than I care to admit. The fact that a 44K-star repo had this issue shows how easy it is to overlook. I once audited a startup's entire auth system and found Math.random() generating OAuth state parameters. We switched to crypto.randomBytes, and the fix took 10 minutes. The lesson: never trust a PRNG for secrets, no matter how random it looks.

— DevDigest Editorial

Key Takeaways

•Replace Math.random() with crypto.randomBytes() for any security-sensitive randomness in Node.js.
•Add eslint-plugin-security with rule detect-unsafe-random to your CI pipeline to catch this automatically.
•For browser code, use crypto.getRandomValues() or crypto.randomUUID() instead of Math.random().

Why It Matters

If you're generating API keys, tokens, or any secrets in Node.js or the browser and using Math.random(), your keys are predictable. This vulnerability was found in a 44K-star project, meaning it could affect millions of users. The fix is a one-liner, but the damage if exploited is severe.

#security#javascript#crypto#nodejs#eslint

Get the weekly digest

Every Sunday - top tech stories, industry breakthroughs, and developer tools delivered to your inbox.

No spam, unsubscribe anytime.

Math.random() API Key Generation Found in 44K-Star Repo — Here's the Fix

The Bug: Math.random() Generating API Keys

Why Math.random() Is Not Secure

The Attack: Recovering the Internal State

The Fix: Use crypto.randomBytes

ESLint Rule to Catch This

Codebase Impact

Why This Matters

Next Steps for Developers

Conclusion

Editor's Take

Key Takeaways

Why It Matters

Get the weekly digest

You might also like

Fake Job Assessment Repo Hid Malware in SVG Comments

GitGuardian Finds 44 Active Kubernetes Clusters Exposed via Public Leaks

Apple macOS Tahoe Patches 40+ CVEs Including AI-Discovered Kernel Bug

ECB Orders Banks to Patch Faster as AI Model Mythos Finds Zero-Days at 83% Success Rate

Racket v9.2 Released: Breaking Changes in match and Typed Racket

wolfCOSE: A Zero-Alloc C Library for COSE with Post-Quantum Signatures