Will It Vibe logoWill It Vibe?
CRYPTO-012Medium severity-8 points

Math.random() for a security value

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

Math.random() produces predictable output and is used on a line naming a token/secret/session/nonce/key. Use crypto.randomBytes or the Web Crypto API. This is a proximity heuristic.

Why it matters

Math.random() is a non-cryptographic PRNG whose internal state can be recovered from a few outputs, so tokens, session ids, or OTPs built from it are predictable to an attacker. This is a proximity match: it fired because a security-related word sits on the same line. If the value is truly not security-sensitive it may be a false positive.

How to fix it

Use crypto.getRandomValues (browser) or crypto.randomBytes / crypto.randomUUID (Node) for anything an attacker should not be able to guess: tokens, ids, OTPs, nonces, salts, keys. Keep Math.random for cosmetic or simulation values. Convert the random bytes to your needed format (hex, base64url) rather than truncating.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks