Skip to content

chore(deps): update dependency uuid to v11 [security]#3438

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-uuid-vulnerability
Open

chore(deps): update dependency uuid to v11 [security]#3438
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-uuid-vulnerability

Conversation

@renovate

@renovate renovate Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
uuid ^9.0.0^11.1.1 age adoption passing confidence

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4() THREW RangeError
  • v5() NO_THROW
  • v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3() and v5())
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

uuidjs/uuid (uuid)

v11.1.1

Compare Source

Bug Fixes

v11.1.0

Compare Source

Features
  • update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

v11.0.4

Compare Source

Bug Fixes

v11.0.3

Compare Source

Bug Fixes

v11.0.2

Compare Source

Bug Fixes

v11.0.1

Compare Source

Bug Fixes

v11.0.0

Compare Source

⚠ BREAKING CHANGES
  • refactor v1 internal state and options logic (#​780)
  • refactor v7 internal state and options logic, fixes #​764 (#​779)
  • Port to TypeScript, closes #​762 (#​763)
  • update node support matrix (only support node 16-20) (#​750)
Features
Bug Fixes

v10.0.0

Compare Source

⚠ BREAKING CHANGES
  • update node support (drop node@​12, node@​14, add node@​20) (#​750)
Features
Bug Fixes

v9.0.1

Compare Source

build
  • Fix CI to work with Node.js 20.x

Configuration

📅 Schedule: (in timezone America/Los_Angeles)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from a team as a code owner May 21, 2026 21:27
@apollo-librarian

apollo-librarian Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

✅ Docs preview has no changes

The preview was not built because there were no changes.

Build ID: 4dd88bc0167afa44e825d404
Build Logs: View logs


✅ AI Style Review — No Changes Detected

No MDX files were changed in this pull request.

Review Log: View detailed log

This review is AI-generated. Please use common sense when accepting these suggestions, as they may not always be accurate or appropriate for your specific context.

@changeset-bot

changeset-bot Bot commented May 21, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 5a4abe7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 7ec51d2 to 5e8be71 Compare May 28, 2026 02:49
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] May 28, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] May 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 5e8be71 to b5af413 Compare May 28, 2026 02:51
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] May 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 3 times, most recently from c28c1e7 to 8bec32b Compare May 28, 2026 21:39
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] May 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 2d658bc to b801883 Compare May 28, 2026 21:43
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] May 28, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] May 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from a9cb945 to c7566ae Compare May 28, 2026 21:48
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] May 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from c7566ae to b21b004 Compare May 28, 2026 21:51
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] May 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from b21b004 to 31a77f4 Compare May 29, 2026 00:38
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] May 29, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 31a77f4 to d033af8 Compare May 29, 2026 00:41
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] May 29, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from d033af8 to dbd1aa0 Compare June 1, 2026 17:14
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jun 1, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jun 2, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from dbd1aa0 to ca063e0 Compare June 2, 2026 01:33
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jun 3, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from e22884b to 5b609a2 Compare June 11, 2026 11:16
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jun 11, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jun 11, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 5b609a2 to 6345e27 Compare June 11, 2026 22:56
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 6345e27 to 9cd2fb3 Compare June 24, 2026 19:55
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jun 24, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jun 24, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from 5e94c79 to cc0a2c1 Compare June 26, 2026 17:22
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jun 26, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from cc0a2c1 to ea8907a Compare June 26, 2026 17:24
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jun 26, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from ea8907a to ea6d730 Compare July 2, 2026 19:55
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jul 2, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jul 2, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from ea6d730 to b6339ea Compare July 2, 2026 23:38
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from b6339ea to 9252237 Compare July 12, 2026 17:49
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jul 12, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 9252237 to 8cf0dd6 Compare July 12, 2026 23:51
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jul 12, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 8cf0dd6 to 12a68bb Compare July 15, 2026 14:44
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jul 15, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jul 15, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch 2 times, most recently from aa50684 to 2d56f67 Compare July 16, 2026 16:52
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v11 [security] chore(deps): update dependency uuid to v14 [security] Jul 16, 2026
@renovate renovate Bot changed the title chore(deps): update dependency uuid to v14 [security] chore(deps): update dependency uuid to v11 [security] Jul 17, 2026
@renovate
renovate Bot force-pushed the renovate/npm-uuid-vulnerability branch from 2d56f67 to 5a4abe7 Compare July 17, 2026 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants