Exposure of Sensitive Information to an Unauthorized Actor in nanoid
- Severity:
- Medium
Description
The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Recommendation
Update the nanoid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.0.0, < 3.1.31
- Patched version(s): 3.1.31
References
- GHSA-qrpm-p2h7-hrv2
- snyk.io
- lists.debian.org
- CVE-2021-23566
- CWE-200
- CWE-704
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - CVE-2022-0536
- Exposure of Sensitive Information to an Unauthorized Actor in AEgir - CVE-2020-11059
- Exposure of Sensitive Information in eventsource - CVE-2022-1650
- Exposure of Sensitive Information in simple-get - CVE-2022-0355
- Tags:
- npm
- nanoid
Anything's wrong? Let us know Last updated on November 04, 2025