[CWE-330] Predictable Random Seeding Found in Ruby-Statistics Weibull Distribution Module

A security scanner has identified a cryptographic weakness in the ruby-statistics library, flagging the use of a predictable random number generator in a statistical distribution module. The vulnerability, classified under CWE-330 (Use of Insufficiently Random Values), appears in the Weibull distribution implementation at line 52 of lib/ruby-statistics/distribution/weibull.rb, where the code calls srand(seed) to initialize the random number generator.

The srand() function, when provided a seed value, produces deterministic output that can be reproduced if the seed is known or guessable. In security-sensitive contexts, this predictability undermines cryptographic operations, session tokens, or any function relying on randomness for protection. The ruby-statistics library, maintained by developer jasoncaryallen on the master branch, carries this flaw, which was detected by the RSOLV automated security scanner on April 30, 2026. The finding carries 80% confidence and is mapped to OWASP Top 10 category A02:2021 (Cryptographic Failures).

The issue raises questions about how the library's random number capabilities are being used downstream. Statistical libraries like this one often serve as dependencies in broader applications, and developers may unknowingly incorporate predictable randomness into security-critical paths. The report recommends replacing weak seeding mechanisms with modern cryptographic alternatives, though no confirmed exploitation or downstream impact is documented. Users of the jasoncaryallen/ruby-statistics repository are advised to review their dependency chain and assess whether any security-sensitive operations depend on this module's random behavior.