diff --git a/advisories/github-reviewed/2026/04/GHSA-w5hq-g745-h8pq/GHSA-w5hq-g745-h8pq.json b/advisories/github-reviewed/2026/04/GHSA-w5hq-g745-h8pq/GHSA-w5hq-g745-h8pq.json index 174fde063d763..3bcaefc7eb31e 100644 --- a/advisories/github-reviewed/2026/04/GHSA-w5hq-g745-h8pq/GHSA-w5hq-g745-h8pq.json +++ b/advisories/github-reviewed/2026/04/GHSA-w5hq-g745-h8pq/GHSA-w5hq-g745-h8pq.json @@ -2,8 +2,11 @@ "schema_version": "1.4.0", "id": "GHSA-w5hq-g745-h8pq", "modified": "2026-04-22T20:53:24Z", - "published": "2026-04-22T20:53:24Z", - "aliases": [], + "published": "2026-04-22T20:53:25Z", + "aliases": [ + "CVE-2026-41907", + "CVE-2026-41988" + ], "summary": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided", "details": "### Summary\n\n`v3`, `v5`, and `v6` accept external output buffers but do not reject out-of-range writes (small `buf` or large `offset`). \nBy contrast, `v4`, `v1`, and `v7` explicitly throw `RangeError` on invalid bounds.\n\nThis inconsistency allows **silent partial writes** into caller-provided buffers.\n\n\n### Affected code\n\n- `src/v35.ts` (`v3`/`v5` path) writes `buf[offset + i]` without bounds validation.\n- `src/v6.ts` writes `buf[offset + i]` without bounds validation.\n\n### Reproducible PoC\n\n```bash\ncd /home/StrawHat/uuid\nnpm ci\nnpm run build\n\nnode --input-type=module -e \"\nimport {v4,v5,v6} from './dist-node/index.js';\nconst ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';\nfor (const [name,fn] of [\n ['v4',()=>v4({},new Uint8Array(8),4)],\n ['v5',()=>v5('x',ns,new Uint8Array(8),4)],\n ['v6',()=>v6({},new Uint8Array(8),4)],\n]) {\n try { fn(); console.log(name,'NO_THROW'); }\n catch(e){ console.log(name,'THREW',e.name); }\n}\"\n```\n\nObserved:\n\n- `v4 THREW RangeError`\n- `v5 NO_THROW`\n- `v6 NO_THROW`\n\nExample partial overwrite evidence captured during audit:\n\n```text\nsame true buf [\n 170, 170, 170, 170,\n 75, 224, 100, 63\n]\nv6 [\n 187, 187, 187, 187,\n 31, 19, 185, 64\n]\n```\n\n### Security impact\n\n- **Primary**: integrity/robustness issue (silent partial output).\n- If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.\n- In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.\n\n### Suggested fix\n\nAdd the same guard used by `v4`/`v1`/`v7`:\n\n```ts\nif (offset < 0 || offset + 16 > buf.length) {\n throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);\n}\n```\n\nApply to:\n\n- `src/v35.ts` (covers `v3` and `v5`)\n- `src/v6.ts`", "severity": [ @@ -26,20 +29,72 @@ "introduced": "0" }, { - "fixed": "14.0.0" + "fixed": "11.1.1" } ] } ] + }, + { + "package": { + "ecosystem": "npm", + "name": "uuid" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "12.0.0" + }, + { + "fixed": "12.0.1" + } + ] + } + ], + "versions": [ + "12.0.0" + ] + }, + { + "package": { + "ecosystem": "npm", + "name": "uuid" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "13.0.0" + }, + { + "fixed": "13.0.1" + } + ] + } + ], + "versions": [ + "13.0.0" + ] } ], "references": [ { - "type": "WEB", + "type": "ADVISORY", "url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq" }, { - "type": "WEB", + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-qmq6-f8pr-cx5x" + }, + { + "type": "ADVISORY", + "url": "https://www.cve.org/CVERecord?id=CVE-2026-41988" + }, + { + "type": "FIX", "url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34" }, {