Skip to content

chore(deps): update dependency uuid to v11.1.1 [security]#2672

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-uuid-vulnerability
Open

chore(deps): update dependency uuid to v11.1.1 [security]#2672
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-uuid-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Apr 23, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
uuid 11.1.011.1.1 age confidence

Review

  • Updates have been tested and work
  • If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / CVE-2026-41988 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4() THREW RangeError
  • v5() NO_THROW
  • v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3() and v5())
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

uuidjs/uuid (uuid)

v11.1.1

Compare Source

Bug Fixes

Configuration

📅 Schedule: (in timezone America/Montreal)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 6 times, most recently from 16534c9 to 27a672f Compare April 29, 2026 11:19
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from adb9dcc to 933b34a Compare April 30, 2026 21:03
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v14 [security] - autoclosed May 3, 2026
@renovate renovate Bot closed this May 3, 2026
@renovate
renovate Bot deleted the renovate/npm-uuid-vulnerability branch May 3, 2026 06:36
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] - autoclosed fix(deps): update dependency uuid to v14 [security] May 3, 2026
@renovate renovate Bot reopened this May 3, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 5 times, most recently from c0a1bd6 to 7918a19 Compare May 4, 2026 20:23
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11.1.1 [security] May 5, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 5 times, most recently from 61d232f to e68121b Compare May 7, 2026 12:05
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 72fd44a to 2967da8 Compare May 13, 2026 17:44
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 3 times, most recently from 7ec6281 to ec8706e Compare June 2, 2026 18:26
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 1972619 to 60a16f6 Compare June 15, 2026 20:17
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 9 times, most recently from 960e6d0 to 60b362d Compare June 29, 2026 21:21
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 4 times, most recently from cdb81c8 to 55fddfd Compare July 6, 2026 21:05
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 9 times, most recently from 2d961fb to 4cd8071 Compare July 13, 2026 14:51
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 4cd8071 to 8cbfb19 Compare July 16, 2026 13:23
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 8cbfb19 to e1fddd5 Compare July 16, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants