CWE-323: Reusing a Nonce, Key Pair in Encryption
Nonces should be used for the present occasion and only once.
Last updated
Overview
CWE-323 (Reusing a Nonce, Key Pair in Encryption) is a base-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
Background
Nonces are often bundled with a key in a communication exchange to produce a new session key for each exchange.
Real-world CVEs
39 recorded CVEs are caused by CWE-323 (Reusing a Nonce, Key Pair in Encryption). The highest-severity and most recent are shown first. 13 new CWE-323 CVEs have been recorded so far in 2026 (4 in 2025).
- CVE-2025-59870
Improper management of a static JWT signing secret in the web application, where the secret lacks rotation , introducing a security risk
Critical · CVSS 9.8 · EPSS 15th2026-01-16 - CVE-2017-7902Critical · CVSS 9.8 · EPSS 83th2017-06-30
- CVE-2026-59099
Apereo CAS 7.3.0 < 8.0.0-RC6 - AES-GCM Nonce Reuse Information Disclosure