Core Library
MSAL Node (@azure/msal-node)
Core Library Version
5.1.2
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Confidential
Description
@azure/msal-node depends on uuid@8.x which has a moderate-severity security advisory (GHSA-w5hq-g745-h8pq): missing buffer bounds check in uuid v3/v5/v6 when buf and/or offset parameters are provided and the buffer is too small.
The fix requires uuid@>=14.0.0, but @azure/msal-node currently pins uuid@^8, causing any downstream consumer of @azure/identity to receive the vulnerable version as a transitive dependency with no non-breaking resolution path.
Error Message
uuid <14.0.0
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install @azure/identity@1.1.0, which is a breaking change
node_modules/uuid
@azure/msal-node *
Depends on vulnerable versions of uuid
node_modules/@azure/msal-node
@azure/identity >=1.2.0-alpha.20200903.1
Depends on vulnerable versions of @azure/msal-node
node_modules/@azure/identity
MSAL Logs
N/A — this is a dependency vulnerability report, not a runtime error.
Network Trace (Preferrably Fiddler)
MSAL Configuration
// N/A — vulnerability exists at install time regardless of configuration
Relevant Code Snippets
// package.json
{
"dependencies": {
"@azure/identity": "^4.13.1"
}
}Reproduction Steps
- Create a new Node.js project
- Install
@azure/identity: npm install @azure/identity
- Run
npm audit
- Observe
uuid <14.0.0 moderate vulnerability reported via @azure/msal-node
Expected Behavior
@azure/msal-node should upgrade its uuid dependency to >=14.0.0 (or replace it with a non-vulnerable alternative), so downstream consumers do not receive security alerts for a transitive dependency they cannot resolve themselves.
Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
N/A
Core Library
MSAL Node (@azure/msal-node)
Core Library Version
5.1.2
Wrapper Library
Not Applicable
Wrapper Library Version
None
Public or Confidential Client?
Confidential
Description
@azure/msal-nodedepends onuuid@8.xwhich has a moderate-severity security advisory (GHSA-w5hq-g745-h8pq): missing buffer bounds check inuuidv3/v5/v6 whenbufand/oroffsetparameters are provided and the buffer is too small.The fix requires
uuid@>=14.0.0, but@azure/msal-nodecurrently pinsuuid@^8, causing any downstream consumer of@azure/identityto receive the vulnerable version as a transitive dependency with no non-breaking resolution path.Error Message
MSAL Logs
N/A — this is a dependency vulnerability report, not a runtime error.
Network Trace (Preferrably Fiddler)
MSAL Configuration
// N/A — vulnerability exists at install time regardless of configurationRelevant Code Snippets
Reproduction Steps
@azure/identity:npm install @azure/identitynpm audituuid <14.0.0moderate vulnerability reported via@azure/msal-nodeExpected Behavior
@azure/msal-nodeshould upgrade itsuuiddependency to>=14.0.0(or replace it with a non-vulnerable alternative), so downstream consumers do not receive security alerts for a transitive dependency they cannot resolve themselves.Identity Provider
Entra ID (formerly Azure AD) / MSA
Browsers Affected (Select all that apply)
None (Server)
Regression
N/A