Skip to main content

uuid (uuidjs) CVE-2026-41907

| EUVDEUVD-2026-25600 HIGH
Use of Out-of-range Pointer Offset (CWE-823)
2026-04-24 GitHub_M
8.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
4.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 18:57 nvd
Patch available
Re-analysis Queued
Apr 27, 2026 - 14:22 vuln.today
cvss_changed
Analysis Generated
Apr 24, 2026 - 21:15 vuln.today
Patch available
Apr 24, 2026 - 20:17 EUVD
CVSS changed
Apr 24, 2026 - 19:22 NVD
8.1 (HIGH)
EUVD ID Assigned
Apr 24, 2026 - 18:45 euvd
EUVD-2026-25600
Analysis Generated
Apr 24, 2026 - 18:45 vuln.today
CVE Published
Apr 24, 2026 - 18:09 nvd
HIGH 8.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 17 npm packages depend on uuid (12 direct, 5 indirect)

Ecosystem-wide dependent count for version 12.0.0.

DescriptionGitHub Advisory

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

AnalysisAI

Buffer overwrite vulnerability in uuid JavaScript library versions prior to 14.0.0 enables remote attackers to corrupt memory and potentially disclose sensitive information through out-of-range writes when applications use v3, v5, or v6 UUID generation functions with caller-provided output buffers. The library fails to validate buffer boundaries, allowing partial writes beyond allocated memory regions. Vendor patch available in version 14.0.0 per GitHub security advisory GHSA-w5hq-g745-h8pq. No confirmed active exploitation (not in CISA KEV), and CVSS 4.0 Environmental Score suggests exploitation status is unproven (E:U).

Technical ContextAI

The uuid library (cpe:2.3:a:uuidjs:uuid) is a widely-used JavaScript implementation for generating RFC9562-compliant universally unique identifiers. The vulnerability stems from CWE-823 (Use of Out-of-Range Pointer Offset), occurring in the v3 (MD5-based), v5 (SHA1-based), and v6 (time-ordered) UUID generation functions. These functions accept external output buffers to avoid allocations but lack proper bounds checking on buffer size and write offset parameters. When an application passes a buffer smaller than required or specifies an offset that would write beyond buffer boundaries, the library performs silent partial writes into adjacent memory regions. This is a classic buffer overflow condition in a memory-unsafe context, though JavaScript's TypedArray implementation may limit exploitation compared to native code vulnerabilities. The flaw affects any JavaScript runtime environment (Node.js, browser, Deno, etc.) where applications invoke these UUID generation methods with custom buffers.

RemediationAI

Upgrade the uuid library to version 14.0.0 or later, which implements proper bounds checking for external output buffers in v3, v5, and v6 UUID generation functions. For Node.js projects, execute 'npm update uuid' or 'yarn upgrade uuid' and verify package.json or package-lock.json reflects >=14.0.0. For browser-based usage, update CDN references or bundled library versions. Vendor patch details available at https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq. If immediate upgrade is not feasible, implement application-layer compensating controls: (1) avoid v3/v5/v6 methods with custom buffers-use default return values or switch to v4 (random) or v1 (time-based) methods that do not accept external buffers, (2) implement strict buffer size validation in calling code before passing buffers to uuid functions, verifying buffer.length minus offset is at least 16 bytes (UUID binary length), (3) audit all code paths invoking uuid.v3(), uuid.v5(), or uuid.v6() to identify custom buffer usage patterns. Note that compensating controls introduce maintenance overhead and potential logic errors; upgrade remains the preferred remediation. Applications using only v1 or v4 methods, or using v3/v5/v6 without custom buffers, are not vulnerable despite running affected library versions.

Vendor StatusVendor

Share

CVE-2026-41907 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy