CWE-329 Not Using a Random IV with CBC Mode
What this means
SiteShadow flagged CBC-mode encryption that does not use a fresh, random IV for each encryption. Reusing or fixing IVs makes ciphertext patterns predictable and can leak information.
Why it matters
Predictable IVs weaken confidentiality and enable pattern leakage.
- Identical plaintext blocks can produce predictable ciphertext patterns.
- In some schemes, IV misuse can enable broader cryptographic attacks.
Safer examples
1) Prefer modern authenticated encryption modes
Use AES‑GCM / ChaCha20‑Poly1305 via a vetted library instead of rolling CBC manually.
2) If using CBC, generate a random IV per encryption
Store/transmit the IV alongside the ciphertext (IV does not need to be secret, but must be unpredictable).
3) Never reuse IVs with the same key
Treat IV generation as part of the encryption API; avoid custom IV handling.
How SiteShadow detects it (high level)
- Flags crypto API usage where CBC mode is configured with static/predictable IVs.
- Detects IV values derived from constants, zeros, timestamps, or reused variables.
References
- CWE-329: https://cwe.mitre.org/data/definitions/329.html
---