Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
Description
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Spring Security's SecureRandomFactoryBean#setSeed produces predictable values if an attacker can observe the random output.
Vulnerability
Description
CVE-2019-3795 is an insecure randomness vulnerability in Spring Security affecting versions 4.2.x before 4.2.12, 5.0.x before 5.0.12, and 5.1.x before 5.1.5. The issue lies in the SecureRandomFactoryBean#setSeed method, which allows an application to provide a seed for configuring a SecureRandom instance. When a seed is supplied, the resulting random values may be predictable if an attacker is able to observe those values.
Attack
Vector and Prerequisites
Exploitation requires two conditions: the application must explicitly call setSeed with a seed, and the attacker must be able to inspect the random output generated from that seeded instance. This is not a remote code execution or network-based attack; rather, it weakens the security of any cryptographic operations relying on the seeded SecureRandom. Typical scenarios include session token generation or CSRF tokens where randomness is critical.
Impact
If an attacker can observe enough random outputs, they may be able to reconstruct the internal state and predict future random values. This could lead to session hijacking, token forgery, or bypassing security controls that depend on unpredictability. The vulnerability is rated moderate severity, as it requires specific conditions to be exploitable.
Mitigation
Users should upgrade to patched versions: 4.2.12, 5.0.12, or 5.1.5. Alternatively, avoid using SecureRandomFactoryBean#setSeed and rely on the default seeded instance. The GitHub advisory [2] and NVD entry [1] provide more details.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.springframework.security:spring-security-coreMaven | >= 4.2.0, < 4.2.12 | 4.2.12 |
org.springframework.security:spring-security-coreMaven | >= 5.0.0, < 5.0.12 | 5.0.12 |
org.springframework.security:spring-security-coreMaven | >= 5.1.0, < 5.1.5 | 5.1.5 |
Affected products
2- Spring/Spring Securityv5Range: 5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-v2r2-7qm7-jj6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-3795ghsaADVISORY
- www.securityfocus.com/bid/107802ghsavdb-entryx_refsource_BIDWEB
- lists.debian.org/debian-lts-announce/2019/05/msg00026.htmlghsamailing-listx_refsource_MLISTWEB
- pivotal.io/security/cve-2019-3795ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.