Use of insecure random number generator in Passeo
Description
Passeo is an open source python password generator. Versions prior to 1.0.5 rely on the python random library for random value selection. The python random library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Passeo password generator prior to 1.0.5 used Python's insecure random module, allowing password predictability.
Vulnerability
The Passeo password generator (versions before 1.0.5) used Python's random module to generate passwords. The random module uses the Mersenne Twister PRNG, which is not cryptographically secure [1][2]. As a result, an attacker who can obtain a few generated passwords may be able to recover the internal state and predict future passwords.
Exploitation
No authentication is required to exploit this vulnerability; the attacker only needs access to a set of passwords generated by the affected versions. By analyzing the output, a motivated attacker can reconstruct the PRNG state and guess subsequent passwords with significant probability.
Impact
Successful exploitation allows the attacker to predict passwords generated by Passeo, potentially compromising user accounts that rely on these passwords for security. The severity is high as it undermines the cryptographic strength expected from a password generator.
Mitigation
The issue is fixed in version 1.0.5, where the random module was replaced with secrets for cryptographically secure random number generation [3][4]. Users should upgrade immediately. There are no known workarounds for older versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passeoPyPI | < 1.0.5 | 1.0.5 |
Affected products
3<1.0.5+ 1 more
- (no CPE)range: <1.0.5
- (no CPE)range: < 1.0.5
Patches
18caa798b6bc4Merge pull request #4 from ArjunSharda/randomlibcriticalpatch
1 file changed · +50 −22
src/passeo/__init__.py+50 −22 modified@@ -1,32 +1,36 @@ -import random import string import hashlib import requests +import secrets class passeo: def __init__(self): def generate(length, numbers=False, symbols=False, uppercase=False, lowercase=False, space=False, save=False): password = '' - if numbers: - password += string.digits - if symbols: - password += string.punctuation - if uppercase: - password += string.ascii_uppercase - if lowercase: - if uppercase: - raise ValueError('Uppercase and lowercase are both true, please make one of them false.') - password += string.ascii_lowercase - if space: + if numbers is True: + password += secrets.choice(string.digits) + if symbols is True: + password += secrets.choice(string.punctuation) + if lowercase and uppercase == True: + raise ValueError('Uppercase and lowercase are both true, please make one of them false.') + + if uppercase is True: + password += secrets.choice(string.ascii_uppercase) + if lowercase is True: + password += secrets.choice(string.ascii_lowercase) + + + if space is True: password += ' ' - PasseoPassword = ''.join(random.sample(password, length)) - if save: + PasseoPassword = ''.join(secrets.choice(password) for i in range(length)) + if save is True: with open('passeo_passwords.txt', 'a') as file: file.write(PasseoPassword + '\n') return PasseoPassword + self.generate = generate def strengthcheck(password): @@ -47,27 +51,51 @@ def strengthcheck(password): elif y == None: StrengthCheckQuiz['Pwned'] = '1/3: FAIL: An error has occurred, please try again.' if length < 8: - StrengthCheckQuiz['Length'] = '2/3: FAIL: Your password is too short, it is recommended to make it longer.' + StrengthCheckQuiz[ + 'Length'] = '2/3: FAIL: Your password is too short, it is recommended to make it longer.' elif length >= 8 and length <= 16: - StrengthCheckQuiz['Length'] = '2/3: PASS: Your password is long enough! It could be longer, but is great.' + StrengthCheckQuiz[ + 'Length'] = '2/3: PASS: Your password is long enough! It could be longer, but is great.' elif length > 16: StrengthCheckQuiz['Length'] = '2/3: PASS: Your password is very long, good job!' - + elif length == None: StrengthCheckQuiz['Length'] = '2/3: FAIL: An error has occurred, please try again.' if password.lower(): - StrengthCheckQuiz['Case'] = '3/3: FAIL: Your password has lowercase letters, but not uppercase letters, it is recommended to add uppercase letters.' + StrengthCheckQuiz[ + 'Case'] = '3/3: FAIL: Your password has lowercase letters, but not uppercase letters, it is recommended to add uppercase letters.' elif password.upper(): - StrengthCheckQuiz['Case'] = '3/3: FAIL: Your password has uppercase letters, however it is also recommended to add lowercase letters.' + StrengthCheckQuiz[ + 'Case'] = '3/3: FAIL: Your password has uppercase letters, however it is also recommended to add lowercase letters.' elif password.lower() and password.upper(): - StrengthCheckQuiz['Case'] = '3/3: PASS: Your password has both uppercase and lowercase letters, good job!' - + StrengthCheckQuiz[ + 'Case'] = '3/3: PASS: Your password has both uppercase and lowercase letters, good job!' + elif password == None: StrengthCheckQuiz['Case'] = '3/3: FAIL: An error has occurred, please try again.' - return str(StrengthCheckQuiz['Pwned']) + '\n' + str(StrengthCheckQuiz['Length'] + '\n' + str(StrengthCheckQuiz['Case']) + '\n' + 'The Passeo password strength test has ended. Any questions/bugs? Raise a issue on https://github.com/ArjunSharda/Passeo/issue.') + return str(StrengthCheckQuiz['Pwned']) + '\n' + str(StrengthCheckQuiz['Length'] + '\n' + str( + StrengthCheckQuiz[ + 'Case']) + '\n' + 'The Passeo password strength test has ended. Any questions/bugs? Raise a issue on https://github.com/ArjunSharda/Passeo/issue.') self.strengthcheck = strengthcheck + + def quickgenerate(length=int, save=False, bulk=1): + PASSEO_QUICKGEN_PASSWORD = ''.join( + secrets.choice(string.ascii_letters + string.digits) for i in range(length)) + if save: + with open('passeo_quickgen_passwords.txt', 'a') as file: + file.write(PASSEO_QUICKGEN_PASSWORD + '\n') + if bulk > 1: + with open('passeo_quickgen_bulk_passwords.txt', 'a') as bulkf: + for i in range(bulk): + bulkf.write(''.join( + secrets.choice(string.ascii_letters + string.digits) for i in range(length)) + '\n') + + return PASSEO_QUICKGEN_PASSWORD + + + self.quickgenerate = quickgenerate
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-mhhf-vgwh-fw9hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23472ghsaADVISORY
- github.com/ArjunSharda/Passeo/commit/8caa798b6bc4647dca59b2376204b6dc6176361aghsax_refsource_MISCWEB
- github.com/ArjunSharda/Passeo/security/advisories/GHSA-mhhf-vgwh-fw9hghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/passeo/PYSEC-2022-42997.yamlghsaWEB
- peps.python.org/pep-0506ghsaWEB
- peps.python.org/pep-0506/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.