uuid-8.3.2.tgz: 1 vulnerabilities (highest severity is: 9.8) [master] (reachable)

[renovate]

📂 Vulnerable Library - uuid-8.3.2.tgz

RFC4122 (v1, v4, and v5) UUIDs

Path to dependency file: /frontend/package.json

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2026-41907	🟣 Critical	9.8	Not Defined	< 1%	uuid-8.3.2.tgz	Direct	https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v12.0.1,https://github.com/uuidjs/uuid.git - v13.0.1	✅	Reachable

Details

🟣CVE-2026-41907

Vulnerable Library - uuid-8.3.2.tgz

RFC4122 (v1, v4, and v5) UUIDs

Library home page: https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz

Path to dependency file: /frontend/package.json

Dependency Hierarchy:

• react-scripts-5.0.1.tgz (Root Library)

  • webpack-dev-server-4.9.1.tgz
    • sockjs-0.3.24.tgz
      • ❌ uuid-8.3.2.tgz (Vulnerable Library)

• ❌ uuid-8.3.2.tgz (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- damn-vulnerable-crypto-app-backend-1.0.0/src/services/FlagService.ts (Application)
    - uuid-8.3.2/dist/index.js (Extension)
        - uuid-8.3.2/dist/v5.js (Extension)
            -> ❌ uuid-8.3.2/dist/sha1.js (Vulnerable Component)

---

Vulnerability Details

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

Publish Date: Apr 24, 2026 06:09 PM

URL: CVE-2026-41907

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.8

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-w5hq-g745-h8pq

Release Date: Apr 24, 2026 06:09 PM

Fix Resolution : https://github.com/uuidjs/uuid.git - v11.1.1,https://github.com/uuidjs/uuid.git - v12.0.1,https://github.com/uuidjs/uuid.git - v13.0.1