Skip to content

fix(deps): update dependency uuid to v13.0.1 [security]#8193

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-uuid-vulnerability
May 6, 2026
Merged

fix(deps): update dependency uuid to v13.0.1 [security]#8193
renovate[bot] merged 1 commit intomainfrom
renovate/npm-uuid-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 22, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
uuid 13.0.013.0.1 age confidence

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3/v5 path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4',()=>v4({},new Uint8Array(8),4)],
  ['v5',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4 THREW RangeError
  • v5 NO_THROW
  • v6 NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4/v1/v7:

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3 and v5)
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

uuidjs/uuid (uuid)

v13.0.1

Compare Source

Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 22, 2026
@renovate renovate Bot requested a review from a team as a code owner April 22, 2026 22:15
kodiakhq[bot]
kodiakhq Bot previously approved these changes Apr 22, 2026
View reviewed changes
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v14 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-uuid-vulnerability branch April 27, 2026 17:02
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] - autoclosed fix(deps): update dependency uuid to v14 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 832a03b to 6c64fc5 Compare April 27, 2026 20:45
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 27, 2026
edited
Loading

📊 Benchmark results

Comparing with 30d4ef0

  • Dependency count: 1,061 (no change)
  • Package size: 357 MB (no change)
  • Number of ts-expect-error directives: 355 (no change)

@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v14 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] - autoclosed fix(deps): update dependency uuid to v14 [security] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 6c64fc5 to 2245572 Compare April 28, 2026 00:08
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 2245572 to 4f61fbd Compare April 29, 2026 16:16
kodiakhq[bot]
kodiakhq Bot previously approved these changes Apr 29, 2026
View reviewed changes
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v14 [security] - autoclosed May 5, 2026
@renovate renovate Bot closed this May 5, 2026
@renovate renovate Bot changed the title fix(deps): update dependency uuid to v14 [security] - autoclosed fix(deps): update dependency uuid to v13.0.1 [security] May 6, 2026
@renovate renovate Bot reopened this May 6, 2026
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from d621b5a to 4f61fbd Compare May 6, 2026 02:29
@renovate renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 4f61fbd to d621b5a Compare May 6, 2026 02:29
@renovate renovate Bot merged commit b267a5e into main May 6, 2026
39 checks passed
@token-generator-app token-generator-app Bot mentioned this pull request May 6, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kodiakhq kodiakhq[bot] kodiakhq[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants