Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8Blast Radius
ecosystem impact- 17 npm packages depend on uuid (12 direct, 5 indirect)
Ecosystem-wide dependent count for version 12.0.0.
DescriptionGitHub Advisory
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
AnalysisAI
Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U).
Technical ContextAI
The uuid library (cpe:2.3:a:uuidjs:uuid) is a widely-used JavaScript implementation for generating RFC9562-compliant universally unique identifiers. The vulnerability stems from CWE-823 (Use of Out-of-Range Pointer Offset), occurring in the v3 (MD5-based), v5 (SHA1-based), and v6 (time-ordered) UUID generation functions. These functions accept external output buffers to avoid allocations but lack proper bounds checking on buffer size and write offset parameters. When an application passes a buffer smaller than required or specifies an offset that would write beyond buffer boundaries, the library performs silent partial writes into adjacent memory regions. This is a classic buffer overflow condition in a memory-unsafe context, though JavaScript's TypedArray implementation may limit exploitation compared to native code vulnerabilities. The flaw affects any JavaScript runtime environment (Node.js, browser, Deno, etc.) where applications invoke these UUID generation methods with custom buffers.
RemediationAI
Upgrade the uuid library to version 14.0.0 or later, which implements proper bounds checking for external output buffers in v3, v5, and v6 UUID generation functions. For Node.js projects, execute 'npm update uuid' or 'yarn upgrade uuid' and verify package.json or package-lock.json reflects >=14.0.0. For browser-based usage, update CDN references or bundled library versions. Vendor patch details available at https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq. If immediate upgrade is not feasible, implement application-layer compensating controls: (1) avoid v3/v5/v6 methods with custom buffers-use default return values or switch to v4 (random) or v1 (time-based) methods that do not accept external buffers, (2) implement strict buffer size validation in calling code before passing buffers to uuid functions, verifying buffer.length minus offset is at least 16 bytes (UUID binary length), (3) audit all code paths invoking uuid.v3(), uuid.v5(), or uuid.v6() to identify custom buffer usage patterns. Note that compensating controls introduce maintenance overhead and potential logic errors; upgrade remains the preferred remediation. Applications using only v1 or v4 methods, or using v3/v5/v6 without custom buffers, are not vulnerable despite running affected library versions.
Same weakness CWE-823 – Use of Out-of-range Pointer Offset
View allSame technique Memory Corruption
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25600