Exposure of Sensitive Information to an Unauthorized Actor in nanoid
- Severity:
- Medium
Description
The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Recommendation
Update the nanoid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.0.0, < 3.1.31
- Patched version(s): 3.1.31
References
- GHSA-qrpm-p2h7-hrv2
- snyk.io
- lists.debian.org
- CVE-2021-23566
- CWE-200
- CWE-704
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- AngularJS allows attackers to bypass common image source restrictions - CVE-2024-8372
- Strapi Allows Unauthorized Access to Private Fields via parms.lookup - CVE-2024-56143
- Tags:
- npm
- nanoid
Anything's wrong? Let us know Last updated on November 04, 2025