Duplicate Advisory: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
This advisory has been withdrawn.
Advisories for Npm/Uuid package
2026
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). By contrast, v4, v1, and v7 explicitly throw RangeError on invalid bounds. This inconsistency allows silent partial writes into caller-provided buffers.
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset). By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds. This inconsistency allows silent partial writes into caller-provided buffers.