CVE-2021-23566: Exposure of Sensitive Information to an Unauthorized Actor

January 14, 2022 (updated July 12, 2022)

The package nanoid is vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

References

gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575
github.com/ai/nanoid/pull/328
nvd.nist.gov/vuln/detail/CVE-2021-23566
snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550
snyk.io/vuln/SNYK-JS-NANOID-2332193

Detect and mitigate CVE-2021-23566 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →