Vulnerabilities

 1 via 2 paths

Dependencies

 120

Source

 GitHub

Commit

 master

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

medium severity

Improper Validation of Specified Index, Position, or Offset in Input

  • Vulnerable module: uuid
  • Introduced through: uuid@3.4.0 and botched@0.4.3

Detailed paths

  • Introduced through: komapi@komapijs/komapi#master uuid@3.4.0
    Remediation: Upgrade to uuid@11.1.1.
  • Introduced through: komapi@komapijs/komapi#master botched@0.4.3 uuid@3.4.0

Overview

uuid is a RFC4122 (v1, v4, and v5) compliant UUID library.

Affected versions of this package are vulnerable to Improper Validation of Specified Index, Position, or Offset in Input due to accepting external output buffers but not rejecting out-of-range writes (small buf or large offset). This inconsistency allows silent partial writes into caller-provided buffers.

PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Remediation

Upgrade uuid to version 11.1.1, 14.0.0 or higher.

References

Improper Validation of Specified Index, Position, or Offset in Input vulnerability report