{"id":"GHSA-5844-q3fc-56rh","summary":"pubnub Insufficient Entropy vulnerability","details":"Versions of the package pubnub before 7.4.0; all versions of the package com.pubnub:pubnub; versions of the package pubnub before 6.19.0; all versions of the package github.com/pubnub/go; versions of the package github.com/pubnub/go/v7 before 7.2.0; versions of the package pubnub before 7.3.0; versions of the package pubnub/pubnub before 6.1.0; versions of the package pubnub before 5.3.0; versions of the package pubnub before 0.4.0; versions of the package pubnub/c-core before 4.5.0; versions of the package com.pubnub:pubnub-kotlin before 7.7.0; versions of the package pubnub/swift before 6.2.0; versions of the package pubnub before 5.2.0; versions of the package pubnub before 4.3.0 are vulnerable to Insufficient Entropy via the getKey function, due to inefficient implementation of the AES-256-CBC cryptographic algorithm. The provided encrypt function is less secure when hex encoding and trimming are applied, leaving half of the bits in the key always the same for every encoded message or file.\n\n**Note:**\n\nIn order to exploit this vulnerability, the attacker needs to invest resources in preparing the attack and brute-force the encryption.","aliases":["CVE-2023-26154","GO-2023-2385"],"modified":"2025-07-22T16:04:41.150432Z","published":"2023-12-06T06:30:20Z","database_specific":{"nvd_published_at":"2023-12-06T05:15:10Z","severity":"MODERATE","github_reviewed_at":"2023-12-06T16:55:26Z","github_reviewed":true,"cwe_ids":["CWE-331"]},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-26154"},{"type":"WEB","url":"https://github.com/pubnub/go/commit/428517fef5b901db7275d9f5a75eda89a4c28e08"},{"type":"WEB","url":"https://github.com/pubnub/javascript/commit/fb6cd0417cbb4ba87ea2d5d86a9c94774447e119"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-UNMANAGED-PUBNUBCCORE-6098379"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-SWIFT-PUBNUBSWIFT-6098381"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-RUST-PUBNUB-6098378"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-RUBY-PUBNUB-6098377"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PYTHON-PUBNUB-6098375"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PUB-PUBNUB-6098385"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-PHP-PUBNUBPUBNUB-6098376"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JS-PUBNUB-5840690"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098380"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-JAVA-COMPUBNUB-6098371"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGOV7-6098374"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMPUBNUBGO-6098373"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-DOTNET-PUBNUB-6098372"},{"type":"WEB","url":"https://security.snyk.io/vuln/SNYK-COCOAPODS-PUBNUB-6098384"},{"type":"WEB","url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/pubnub/CVE-2023-26154.yml"},{"type":"WEB","url":"https://github.com/pubnub/javascript/blob/master/src/crypto/modules/web.js#L70"},{"type":"PACKAGE","url":"https://github.com/pubnub/javascript"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-5844-q3fc-56rh"},{"type":"WEB","url":"https://gist.github.com/vargad/20237094fce7a0a28f0723d7ce395bb0"}],"affected":[{"package":{"name":"pubnub","ecosystem":"npm","purl":"pkg:npm/pubnub"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"7.4.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"com.pubnub:pubnub-kotlin","ecosystem":"Maven","purl":"pkg:maven/com.pubnub/pubnub-kotlin"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.7.0"}]}],"versions":["4.0.0","4.0.1","5.0.0","5.0.1","5.0.2","5.1.0","5.1.1","5.1.2","5.1.3","6.0.0","6.0.1","6.0.2","6.0.3","6.1.0","6.2.0","6.3.0","7.0.0","7.0.1","7.1.0","7.2.0","7.3.0","7.3.1","7.3.2","7.4.0","7.4.1","7.4.2","7.4.3","7.5.0","7.6.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"com.pubnub:pubnub","ecosystem":"Maven","purl":"pkg:maven/com.pubnub/pubnub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"last_affected":"4.6.5"}]}],"versions":["3.4","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.6.0","3.6.1","3.6.2","3.6.3","3.7.0","3.7.1","3.7.10","3.7.11","3.7.2","3.7.3","3.7.4","3.7.5","3.7.6","3.7.7","3.7.8","3.7.9","4.0.0","4.0.0-beta1","4.0.0-beta2","4.0.0-beta3","4.0.0-beta4","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.2.0","4.2.2","4.2.3","4.6.5"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"github.com/pubnub/go/v7","ecosystem":"Go","purl":"pkg:golang/github.com/pubnub/go/v7"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"7.2.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"github.com/pubnub/go","ecosystem":"Go","purl":"pkg:golang/github.com/pubnub/go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.0.0-20231016150651-428517fef5b9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"github.com/pubnub/go/v6","ecosystem":"Go","purl":"pkg:golang/github.com/pubnub/go/v6"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"6.1.1-0.20231016150651-428517fef5b9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"github.com/pubnub/go/v5","ecosystem":"Go","purl":"pkg:golang/github.com/pubnub/go/v5"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"5.0.4-0.20231016150651-428517fef5b9"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"Pubnub","ecosystem":"NuGet","purl":"pkg:nuget/Pubnub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.19.0"}]}],"versions":["3.0.0","3.3.0.1","3.3.0.1-beta0","3.3.0.1-release-01-02-13-1","3.3.0.1-release-01-02-13-2","3.3.0.1-release-01-02-13-3","3.3.0.1-release-01-02-13-4","3.3.0.1-release-01-02-13-5","3.3.0.1-release-12-14-12","3.3.0.1-release-12-14-12-1","3.3.0.1-release-12-14-12-2","3.3.0.1-release-12-14-12-3","3.3.0.1-release-12-14-12-4","3.3.0.1-release-12-14-12-5","3.3.0.1-release-12-14-12-6","3.3.0.1-release-12-14-12-7","3.3.0.1-release-12-14-12-8","3.3.0.1-release-12-14-12-9","3.3.0.1-release-12-17-12-1","3.3.0.1-release-12-30-12-1","3.3.0.1-release-12-30-12-2","3.3.0.2","3.3.0.2-rc1","3.3.0.2-rc2","3.4.0.1","3.4.0.1-rc1","3.4.0.1-rc2","3.4.0.1-rc3","3.4.0.2","3.4.0.2-rc1","3.5.0.1","3.5.0.1-rc1","3.5.0.1-rc2","3.5.0.1-rc3","3.5.0.1-rc4","3.5.0.1-rc5","3.5.0.1-rc6","3.6.0.1","3.6.0.1-rc1","3.6.0.1-rc2","3.6.0.1-rc3","3.6.0.1-rc4","3.6.0.1-rc5","3.6.0.1-rc6","3.6.0.2","3.6.0.2-rc1","3.6.0.2-rc2","3.6.0.2-rc3","3.6.0.2-rc4","3.6.0.2-rc5","3.6.0.2-rc6","3.6.0.2-rc7","3.6.0.2-rc8","3.7.0","3.7.0-rc1","3.7.0-rc2","3.7.2-rc1","3.7.3","3.7.3-rc1","3.7.5","3.7.5-rc1","3.7.6","3.7.6-rc1","3.7.7","3.7.7-rc1","3.8.1","3.8.1-rc1","3.8.2","3.8.2-rc1","3.8.3","3.8.3-rc1","3.8.4","3.8.4-rc1","3.8.5","3.8.5-rc1","3.8.6","3.8.6-rc1","3.8.7","3.8.7-rc1","4.0.1-rc1","4.0.1.1-rc1","4.0.1.2-rc1","4.0.1.3","4.0.1.3-rc1","4.0.1.3-rc10","4.0.1.3-rc11","4.0.1.3-rc12","4.0.1.3-rc13","4.0.1.3-rc2","4.0.1.3-rc3","4.0.1.3-rc4","4.0.1.3-rc5","4.0.1.3-rc6","4.0.1.3-rc7","4.0.1.3-rc8","4.0.1.3-rc9","4.0.1.4","4.0.1.5","4.0.1.6","4.0.1.7","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.17","4.0.18","4.0.19","4.0.2","4.0.2.2","4.0.20","4.0.21","4.0.22","4.0.23","4.0.24","4.0.25","4.0.26","4.0.27","4.0.28","4.0.29","4.0.3.1","4.0.3.2","4.0.30","4.0.31","4.0.32","4.0.33","4.0.4.1","4.0.5.1","4.0.5.2","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.10.0","4.11.0","4.12.0","4.13.0","4.14.0","4.15.0","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.7.0","4.8.0","4.9.0","5.0.0","5.0.1","5.1.0","5.2.0","5.3.0","5.4.0","6.0.0","6.1.0","6.10.0","6.11.0","6.12.0","6.13.0","6.14.0","6.15.0","6.16.0","6.17.0","6.18.0","6.2.0","6.3.0","6.4.0","6.5.0","6.6.0","6.7.0","6.8.0","6.9.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"github.com/pubnub/swift","ecosystem":"SwiftURL","purl":"pkg:swift/github.com/pubnub/swift"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"6.2.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"pubnub","ecosystem":"RubyGems","purl":"pkg:gem/pubnub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"5.3.0"}]}],"versions":["0.1.10","0.1.11","0.1.12","0.1.2","0.1.4","0.1.5","0.1.7","0.1.8","0.1.9","3.3.0.1","3.3.0.2","3.3.0.5","3.3.0.6","3.3.0.7","3.4","3.4.1","3.5.1","3.5.12","3.5.14","3.5.3","3.5.5","3.5.6","3.5.7","3.5.8","3.6.10","3.6.7","3.6.9","3.7.0","3.7.1","3.7.10","3.7.11","3.7.12","3.7.5","3.7.7","3.7.9","3.8.0","3.8.1","3.8.2","3.8.4","3.8.5","4.0.0","4.0.0beta1","4.0.0beta2","4.0.1","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.17","4.0.18","4.0.19","4.0.20","4.0.21","4.0.22","4.0.23","4.0.25","4.0.27","4.0.28","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.2","4.1.5","4.1.6","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.2.5","4.2.6","4.2.7","4.3.0","4.4.0","4.5.0","4.6.0","4.6.1","4.6.2","4.7.0","4.7.1","4.8.0","5.0.0","5.1.0","5.1.1","5.1.2","5.2.0","5.2.1","5.2.2"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"pubnub","ecosystem":"crates.io","purl":"pkg:cargo/pubnub"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.4.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"pubnub/pubnub","ecosystem":"Packagist","purl":"pkg:composer/pubnub/pubnub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.0"}]}],"versions":["3.5","3.8.0","3.8.1","3.8.3","4.0.0","4.0.0-alpha","4.0.0-beta","4.0.0-beta.2","4.0.0-beta.3","4.1.0","4.1.1","4.1.2","4.1.3","4.1.4","4.1.5","4.1.7","4.2.0","4.3.0","4.4.0","4.5.0","4.6.0","4.7.0","5.0.0","5.1.0","6.0.0","6.0.1","v3.5.2","v3.5.3","v3.5.4","v3.6.0","v3.6.1","v3.6.2","v3.6.3","v3.7.0","v3.7.1","v3.7.2","v3.7.3","v3.7.4","v3.7.5","v3.7.6","v3.7.7","v3.7.8","v3.7.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"pubnub","ecosystem":"Pub","purl":"pkg:pub/pubnub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.3.0"}]}],"versions":["0.1.0","0.1.1","1.0.2","1.0.3","1.0.4","1.0.5","1.1.0","1.1.1","1.1.2","1.1.3","1.2.0","1.3.0","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","2.0.0","2.0.1","3.0.0","3.0.0-rc","3.0.0-rc.1","3.0.0-rc.2","3.0.1","3.0.2","3.1.0","3.2.0","4.0.0","4.0.0-beta.0","4.0.0-beta.1","4.0.0-beta.2","4.1.0","4.1.1","4.1.2","4.1.3","4.2.1","4.2.2","4.2.3","4.2.4"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}},{"package":{"name":"pubnub","ecosystem":"PyPI","purl":"pkg:pypi/pubnub"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.3.0"}]}],"versions":["3.3","3.3.1","3.3.2","3.3.4","3.3.5","3.5.0","3.5.1","3.5.2","3.5.3","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.7.6","3.7.7","3.7.8","3.8.0","3.8.1","3.8.2","3.8.3","3.9.0","4.0.0","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.2","4.1.3","4.1.4","4.1.5","4.1.6","4.1.7","4.2.0","4.2.1","4.3.0","4.4.0","4.5.0","4.5.1","4.5.2","4.5.3","4.5.4","4.6.0","4.6.1","4.7.0","4.8.0","4.8.1","5.0.0","5.0.1","5.1.0","5.1.1","5.1.2","5.1.3","5.1.4","5.2.0","5.2.1","5.3.0","5.3.1","5.4.0","5.5.0","6.0.0","6.0.1","6.1.0","6.2.0","6.3.0","6.3.1","6.3.2","6.3.3","6.4.0","6.4.1","6.5.0","6.5.1","7.0.0","7.0.1","7.0.2","7.1.0","7.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/12/GHSA-5844-q3fc-56rh/GHSA-5844-q3fc-56rh.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}