CVE-2022-0664
Description
Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Netmaker used a hard-coded cryptographic key, enabling attackers to compromise network security; fixed in versions 0.8.5, 0.9.4, 0.10.0, 0.10.1.
Vulnerability
Netmaker, a WireGuard network automation tool written in Go, contained a hard-coded cryptographic key in versions prior to 0.8.5, 0.9.4, 0.10.0, and 0.10.1 [1]. The key was used for generating tokens or secrets, making them predictable and undermining the security of the entire network [3]. The vulnerability exists in the GenerateCryptoString function, which originally relied on math/rand instead of crypto/rand [3].
Exploitation
An attacker with network access to a Netmaker server could predict the cryptographic key due to its hard-coded nature [1]. No authentication or special privileges are required. By knowing the key, the attacker could forge authentication tokens, decrypt communications, or impersonate legitimate nodes [4]. The exploitation does not require user interaction beyond the attacker sending crafted requests.
Impact
Successful exploitation allows an attacker to fully compromise the Netmaker network. This includes unauthorized access to all connected nodes, ability to intercept and modify traffic, and potential lateral movement within the network [1][4]. The confidentiality, integrity, and availability of the entire WireGuard mesh are at risk, with the attacker gaining the same privileges as a legitimate administrator.
Mitigation
The vulnerability is fixed in Netmaker versions 0.8.5, 0.9.4, 0.10.0, and 0.10.1 [1]. The fix replaces the hard-coded key with cryptographically secure random generation using crypto/rand [3]. Users should upgrade immediately to one of these versions or later. No workaround is available for unpatched versions. The CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/gravitl/netmakerGo | < 0.8.5 | 0.8.5 |
github.com/gravitl/netmakerGo | >= 0.9.0, < 0.9.4 | 0.9.4 |
Affected products
2- gravitl/gravitl/netmakerv5Range: unspecified
Patches
12 files changed · +20 −23
logic/jwts.go+5 −1 modified@@ -17,7 +17,11 @@ var jwtSecretKey []byte func SetJWTSecret() { currentSecret, jwtErr := FetchJWTSecret() if jwtErr != nil { - jwtSecretKey = []byte(RandomString(64)) // 512 bit random password + newValue, err := GenerateCryptoString(64) + if err != nil { + logger.FatalLog("something went wrong when generating JWT signature") + } + jwtSecretKey = []byte(newValue) // 512 bit random password if err := StoreJWTSecret(string(jwtSecretKey)); err != nil { logger.FatalLog("something went wrong when configuring JWT authentication") }
logic/util.go+15 −22 modified@@ -2,9 +2,11 @@ package logic import ( + crand "crypto/rand" "encoding/base64" "encoding/json" "fmt" + "math/big" "math/rand" "net" "os" @@ -85,29 +87,20 @@ func SetNetworkNodesLastModified(networkName string) error { return nil } -// // GetNode - fetches a node from database -// func GetNode(macaddress string, network string) (models.Node, error) { -// var node models.Node - -// key, err := GetRecordKey(macaddress, network) -// if err != nil { -// return node, err -// } -// data, err := database.FetchRecord(database.NODES_TABLE_NAME, key) -// if err != nil { -// if data == "" { -// data, _ = database.FetchRecord(database.DELETED_NODES_TABLE_NAME, key) -// err = json.Unmarshal([]byte(data), &node) -// } -// return node, err -// } -// if err = json.Unmarshal([]byte(data), &node); err != nil { -// return node, err -// } -// SetNodeDefaults(&node) +// GenerateCryptoString - generates random string of n length +func GenerateCryptoString(n int) (string, error) { + const chars = "123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" + ret := make([]byte, n) + for i := range ret { + num, err := crand.Int(crand.Reader, big.NewInt(int64(len(chars)))) + if err != nil { + return "", err + } + ret[i] = chars[num.Int64()] + } -// return node, err -// } + return string(ret), nil +} // DeleteNodeByID - deletes a node from database or moves into delete nodes table func DeleteNodeByID(node *models.Node, exterminate bool) error {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cfnvdPatchThird Party AdvisoryWEB
- huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eacnvdExploitPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-6rrw-4fm9-rghvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0664ghsaADVISORY
News mentions
0No linked articles in our index yet.