CVE-2024-55565: Predictable results in nanoid generation when given non-integer values

December 9, 2024 (updated December 13, 2024)

When nanoid is called with a fractional value, there were a number of undesirable effects:

in browser and non-secure, the code infinite loops on while (size–)
in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled
if the first call in node is a fractional argument, the initial buffer allocation fails with an error

Version 3.3.8 and 5.0.9 are fixed.

References

github.com/advisories/GHSA-mwcw-c2x4-8c55
github.com/ai/nanoid
github.com/ai/nanoid/compare/3.3.7...3.3.8
github.com/ai/nanoid/pull/510
github.com/ai/nanoid/releases/tag/5.0.9
nvd.nist.gov/vuln/detail/CVE-2024-55565

Detect and mitigate CVE-2024-55565 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →