Skip to content

fix(deps): update dependency uuid to v13 [security] - autoclosed#7036

Closed
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-uuid-vulnerability
Closed

fix(deps): update dependency uuid to v13 [security] - autoclosed#7036
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-uuid-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 23, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
uuid ^11.0.0^13.0.1 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4 THREW RangeError
  • v5 NO_THROW
  • v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3 and v5)
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

uuidjs/uuid (uuid)

v13.0.1

Compare Source

Bug Fixes

v13.0.0

Compare Source

⚠ BREAKING CHANGES
  • make browser exports the default (#​901)
Bug Fixes

v12.0.1

Compare Source

v12.0.0

Compare Source

⚠ BREAKING CHANGES
  • update to typescript@​5.2 (#​887)
  • remove CommonJS support (#​886)
  • drop node@​16 support (#​883)
Features
Bug Fixes

v11.1.1

Compare Source

v11.1.0

Compare Source

Features
  • update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

v11.0.4

Compare Source

Bug Fixes

v11.0.3

Compare Source

Bug Fixes

v11.0.2

Compare Source

Bug Fixes

v11.0.1

Compare Source

Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner April 23, 2026 12:07
@renovate renovate Bot added dependencies Pull requests that update a dependency file javascript labels Apr 23, 2026
kodiakhq[bot]
kodiakhq Bot previously approved these changes Apr 23, 2026
View reviewed changes
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from da93c86 to b9ff485 Compare April 27, 2026 09:36
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v14 [security] - autoclosed May 5, 2026
@renovate renovate Bot closed this May 5, 2026
@renovate renovate Bot deleted the renovate/npm-uuid-vulnerability branch May 5, 2026 17:03
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] - autoclosed fix(deps): update dependency uuid to v13 [security] May 6, 2026
@renovate renovate Bot reopened this May 6, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 361e3ad to b9ff485 Compare May 6, 2026 02:35
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from b9ff485 to 361e3ad Compare May 6, 2026 02:35
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 6, 2026
View reviewed changes
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v13 [security] fix(deps): update dependency uuid to v14 [security] May 8, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 361e3ad to d9cbe83 Compare May 8, 2026 10:24
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 8, 2026
View reviewed changes
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v13 [security] May 8, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from d9cbe83 to f35c364 Compare May 8, 2026 10:26
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 8, 2026
View reviewed changes
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from f35c364 to ed4c350 Compare May 8, 2026 18:23
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v13 [security] fix(deps): update dependency uuid to v14 [security] May 8, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from ed4c350 to 7f4dc03 Compare May 8, 2026 18:25
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v13 [security] May 8, 2026
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 8, 2026
View reviewed changes
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v13 [security] fix(deps): update dependency uuid to v14 [security] May 11, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 7f4dc03 to 7b7ba16 Compare May 11, 2026 08:38
kodiakhq[bot]
kodiakhq Bot previously approved these changes May 11, 2026
View reviewed changes
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 7b7ba16 to 1cdf7e5 Compare May 11, 2026 08:40
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v13 [security] May 11, 2026
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v13 [security] fix(deps): update dependency uuid to v13 [security] - autoclosed May 12, 2026
@renovate renovate Bot closed this May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants