CWE-340 Class Incomplete

Generation of Predictable Numbers or Identifiers

This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that rely on unpredictability.

Definition

What is CWE-340?

This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that rely on unpredictability.
Predictable identifiers, like session tokens, initial values for cryptographic operations, or password reset codes, act as weak links in your security chain. Attackers can analyze the pattern or sequence to forecast future values, allowing them to hijack user sessions, bypass authentication, or spoof legitimate transactions. This often stems from using weak random number generators, time-based values, or simple incremental counters in security-sensitive contexts. To prevent this, developers should use cryptographically secure pseudo-random number generators (CSPRNGs) provided by the platform's security libraries for all security-critical operations. Always ensure identifiers have sufficient entropy (randomness) and length to resist brute-force guessing attacks. Avoid creating your own algorithms for randomness and regularly audit code that generates any token used for authorization, identification, or uniqueness.
Real-world impact

Real-world CVEs caused by CWE-340

  • CVE-2022-29330

    Product for administering PBX systems uses predictable identifiers and timestamps for filenames (CWE-340) which allows attackers to access files via direct request (CWE-425).

  • CVE-2001-1141

    PRNG allows attackers to use the output of small PRNG requests to determine the internal state information, which could be used by attackers to predict future pseudo-random numbers.

  • CVE-1999-0074

    Listening TCP ports are sequentially allocated, allowing spoofing attacks.

How attackers exploit it

Step-by-step attacker path

  1. 1

    This code generates a unique random identifier for a user's session.

  2. 2

    Because the seed for the PRNG is always the user's ID, the session ID will always be the same. An attacker could thus predict any user's session ID and potentially hijack the session.

  3. 3

    This example also exhibits a Small Seed Space (CWE-339).

Vulnerable code example

Vulnerable PHP

This code generates a unique random identifier for a user's session.

Vulnerable PHP 
function generateSessionID($userID){
  	srand($userID);
  	return rand();
  }
Secure code example

Secure pseudo

Secure pseudo 
// Validate, sanitize, or use a safe API before reaching the sink.
function handleRequest(input) {
  const safe = validateAndEscape(input);
  return executeWithGuards(safe);
}
What changed: the unsafe sink is replaced (or the input is validated/escaped) so the same payload no longer triggers the weakness.
Prevention checklist

How to prevent CWE-340

  • Architecture Use safe-by-default frameworks and APIs that prevent the unsafe pattern from being expressible.
  • Implementation Validate input at trust boundaries; use allowlists, not denylists.
  • Implementation Apply the principle of least privilege to credentials, file paths, and runtime permissions.
  • Testing Cover this weakness in CI: SAST rules + targeted unit tests for the data flow.
  • Operation Monitor logs for the runtime signals listed in the next section.
Detection signals

How to detect CWE-340

SAST High

Run static analysis (SAST) on the codebase looking for the unsafe pattern in the data flow.

DAST Moderate

Run dynamic application security testing against the live endpoint.

Runtime Moderate

Watch runtime logs for unusual exception traces, malformed input, or authorization bypass attempts.

Code review Moderate

Code review: flag any new code that handles input from this surface without using the validated framework helpers.

Plexicus auto-fix

Plexicus auto-detects CWE-340 and opens a fix PR in under 60 seconds.

Codex Remedium scans every commit, identifies this exact weakness, and ships a reviewer-ready pull request with the patch. No tickets. No hand-offs.

Get a demo Try Plexicus free
Frequently asked questions

Frequently asked questions

What is CWE-340?

This vulnerability occurs when a system creates numbers or identifiers that are too easy to guess, undermining security mechanisms that rely on unpredictability.

How serious is CWE-340?

MITRE has not published a likelihood-of-exploit rating for this weakness. Treat it as medium-impact until your threat model proves otherwise.

What languages or platforms are affected by CWE-340?

MITRE has not specified affected platforms for this CWE — it can apply across most application stacks.

How can I prevent CWE-340?

Use safe-by-default frameworks, validate untrusted input at trust boundaries, and apply the principle of least privilege. Cover the data-flow signature in CI with SAST.

How does Plexicus detect and fix CWE-340?

Plexicus's SAST engine matches the data-flow signature for CWE-340 on every commit. When a match is found, our Codex Remedium agent opens a fix PR with the corrected code, tests, and a one-line summary for the reviewer.

Where can I learn more about CWE-340?

MITRE publishes the canonical definition at https://cwe.mitre.org/data/definitions/340.html. You can also reference OWASP and NIST documentation for adjacent guidance.

Related weaknesses

Weaknesses related to CWE-340

CWE-330 Parent

Use of Insufficiently Random Values

This vulnerability occurs when an application uses random values that are not sufficiently unpredictable in security-sensitive operations,…

CWE-1204 Sibling

Generation of Weak Initialization Vector (IV)

This vulnerability occurs when software uses a weak or predictable Initialization Vector (IV) for cryptographic operations. Many…

CWE-1241 Sibling

Use of Predictable Algorithm in Random Number Generator

This vulnerability occurs when a device or application relies on a predictable algorithm to generate pseudo-random numbers, making the…

CWE-331 Sibling

Insufficient Entropy

This vulnerability occurs when a system's random number generator or algorithm lacks sufficient unpredictability, creating patterns or…

CWE-334 Sibling

Small Space of Random Values

This vulnerability occurs when a system uses a random number generator that produces too few possible values. Attackers can easily predict…

CWE-335 Sibling

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

This vulnerability occurs when a Pseudo-Random Number Generator (PRNG) is used, but its initial seed value is not handled securely or…

CWE-338 Sibling

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

This vulnerability occurs when software uses a pseudo-random number generator (PRNG) that is not cryptographically strong for…

CWE-344 Sibling

Use of Invariant Value in Dynamically Changing Context

This vulnerability occurs when code uses a fixed, unchanging value (like a hardcoded string, number, or reference) in a situation where…

CWE-384 Can precede

Session Fixation

Session fixation occurs when an application authenticates a user without first destroying the previous session ID. This allows an attacker…

Resources

Further reading

Ready when you are

Don't Let Security
Weigh You Down.

Stop choosing between AI velocity and security debt. Plexicus is the only platform that runs Vibe Coding Security and ASPM in parallel — one workflow, every codebase.