Skip to content

fix(deps): update dependency uuid to v14 [security]#600

Open
ZxBot wants to merge 1 commit intodevelfrom
renovate/npm-uuid-vulnerability
Open

fix(deps): update dependency uuid to v14 [security]#600
ZxBot wants to merge 1 commit intodevelfrom
renovate/npm-uuid-vulnerability

Conversation

@ZxBot
Copy link
Copy Markdown
Contributor

@ZxBot ZxBot commented Apr 23, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
uuid 11.0.514.0.0 age confidence

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4 THREW RangeError
  • v5 NO_THROW
  • v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3 and v5)
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

uuidjs/uuid (uuid)

v14.0.0

Compare Source

Security
  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.
⚠ BREAKING CHANGES
  • crypto is now expected to be globally defined (requires node@​20+) (#​935)
  • drop node@​18 support (#​934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years

v13.0.0

Compare Source

⚠ BREAKING CHANGES
  • make browser exports the default (#​901)
Bug Fixes

v12.0.0

Compare Source

⚠ BREAKING CHANGES
  • update to typescript@​5.2 (#​887)
  • remove CommonJS support (#​886)
  • drop node@​16 support (#​883)
Features
Bug Fixes

v11.1.0

Compare Source

Features
  • update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

Configuration

📅 Schedule: (in timezone Europe/Rome)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

@sonarqube-zextras
Copy link
Copy Markdown

sonarqube-zextras Bot commented Apr 23, 2026

Passed Quality Gate passed

Issues

Measures

Project ID: carbonio-files-ui

View in SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ZxBot