🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Insecure UUID

An Insecure UUID vulnerability arises when UUIDs (Universally Unique Identifiers) are used as a source of randomness, but non-random versions are implemented. Only UUID version 4 is designed to generate identifiers using strong random values, providing high entropy and uniqueness. Other versions (e.g., version 1, which incorporates timestamps and MAC addresses) introduce predictable patterns that can be exploited by adversaries. This may lead to vulnerabilities such as predictable token generation, session fixation, user enumeration, or unauthorised access to protected resources.

Remediation

  • Always generate UUIDs using version 4 (random-based) to ensure sufficient entropy and avoid predictability.
  • Do not rely on UUIDs alone as a source of randomness for security-sensitive operations (e.g., session tokens, password reset links).
  • Use cryptographically secure random number generators (CSPRNGs) for token and key generation.
  • Enforce proper length and entropy requirements when using UUIDs in security-critical contexts.

Metadata

  • Severity: low
  • Slug: insecure-uuid

CWEs

  • 337: Predictable Seed in Pseudo-Random Number Generator (PRNG)
  • 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • 331: Insufficient Entropy

OWASP

  • A02:2021: Cryptographic Failures
  • A07:2021: Identification and Authentication Failures

Available Labs

Open Python labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.