CVE-2024-36823 – The encrypt() function in Ninja Core v7.0.0 use... (How to Fix)

Q: What is the severity of CVE-2024-36823?

CVE-2024-36823 has a CVSS score of 7.5 (HIGH). The encrypt() function in Ninja Core v7.0.0 uses a weak cryptographic algorithm, potentially allowing attackers to decrypt sensitive information. This affects all systems running Ninja Core v7.0.0 that use the encrypt() function for data protection.

📋 TL;DR

The encrypt() function in Ninja Core v7.0.0 uses a weak cryptographic algorithm, potentially allowing attackers to decrypt sensitive information. This affects all systems running Ninja Core v7.0.0 that use the encrypt() function for data protection.

💻 Affected Systems

Products:

Ninja Core

Versions: v7.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems using the encrypt() function. The vulnerability exists in the core library itself.

📦 What is this software?

Ninja by Ninjaframework

View all CVEs affecting Ninja →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all encrypted data including passwords, session tokens, and confidential information stored using the vulnerable function.

🟠

Likely Case

Exposure of some encrypted data that attackers can decrypt using brute force or cryptographic attacks against the weak algorithm.

🟢

If Mitigated

Limited impact if strong network controls prevent access to encrypted data or if minimal sensitive data uses the vulnerable function.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to encrypted data and knowledge of the weak algorithm used. No authentication bypass is involved.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v7.0.1 or later

Vendor Advisory: https://github.com/ninjaframework/ninja/issues

Restart Required: Yes

Instructions:

1. Check current Ninja Core version. 2. Update to v7.0.1 or later via package manager. 3. Restart all services using Ninja Core. 4. Re-encrypt any data previously encrypted with the vulnerable function.

🔧 Temporary Workarounds

Replace encrypt() with secure alternative

all

Manually replace calls to the vulnerable encrypt() function with a secure cryptographic implementation like AES-256-GCM.

🧯 If You Can't Patch

Isolate systems using Ninja Core v7.0.0 from untrusted networks
Implement additional encryption layer for sensitive data using a secure algorithm before using the vulnerable encrypt() function

🔍 How to Verify

Check if Vulnerable:

Check if Ninja Core version is exactly 7.0.0 and if the application uses the encrypt() function.

Check Version:

Check package.json or build configuration for 'ninja-core' version, or run: npm list ninja-core (if using npm)

Verify Fix Applied:

Verify Ninja Core version is 7.0.1 or later and test that encrypted data cannot be decrypted using known weak algorithm attacks.

📡 Detection & Monitoring

Log Indicators:

Unusual decryption attempts or errors in cryptographic operations

Network Indicators:

Traffic patterns suggesting bulk data extraction from encrypted storage

SIEM Query:

source="application_logs" AND ("encrypt" OR "decrypt") AND error OR warning

📊 Metadata

CVE ID: CVE-2024-36823

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-326

Published: June 6, 2024

Last Updated: March 25, 2025

🔗 References

https://github.com/ninjaframework/ninja/issues Issue Tracking
https://github.com/ninjaframework/ninja/issues Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36823, you might also want to check these: