Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
7Blast Radius
ecosystem impact- 17 npm packages depend on uuid (12 direct, 5 indirect)
Ecosystem-wide dependent count for version 12.0.0.
DescriptionNVD
uuid before 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID version 4, which is very commonly used, is unaffected by this issue.
AnalysisAI
UUID library versions before 14.0.0 make unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially corrupting adjacent memory. UUID version 4, the most commonly deployed variant, is unaffected. The vulnerability requires local access and non-default buffer configuration to exploit, resulting in integrity compromise rather than code execution or availability impact.
Technical ContextAI
The uuid library (npm package uuidjs/uuid) is a JavaScript implementation for generating and parsing RFC 4122 compliant universally unique identifiers. The vulnerability exists in UUID generation functions for versions 3, 5, and 6 when callers provide external pre-allocated output buffers to write results into, rather than using default allocations. Version 3 (MD5-based namespace UUID), version 5 (SHA-1-based namespace UUID), and version 6 (timestamp-based) generation functions fail to properly respect buffer boundaries, causing writes beyond the intended region. This is a buffer handling issue (CWE-670: Always-Incorrect Control Flow Implementation) where the generation logic does not properly validate or constrain write operations to external buffers. UUID version 4 (random) and version 1 (timestamp-based) are not affected, likely because their generation paths use different write logic or have proper boundary checks.
RemediationAI
Vendor-released patch: upgrade uuid library to version 14.0.0 or later. For npm projects, run 'npm install uuid@^14.0.0' or update the dependency version in package.json and reinstall. Most applications using uuid version 4 (random UUIDs) can safely defer patching if buffer allocation is not externally controlled; however, applications using UUID versions 3, 5, or 6 with external pre-allocated buffers should prioritize immediate upgrade. If immediate upgrade is not feasible and the application uses external buffers for UUID generation, implement input validation to ensure buffer size matches expected UUID output length (16 bytes), or refactor code to use the library's default internal buffer allocation (which is not affected by this issue). The patch is available from the GitHub security advisory at https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq and commit 3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25190
GHSA-qmq6-f8pr-cx5x