Exposure of Sensitive Information to an Unauthorized Actor in nanoid
- Severity:
- Medium
Description
The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Recommendation
Update the nanoid package to the latest compatible version. Followings are version details:
- Affected version(s): >= 3.0.0, < 3.1.31
- Patched version(s): 3.1.31
References
Related Issues
- Vite has an `server.fs.deny` bypass with an invalid `request-target` - CVE-2025-32395
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Marp Core allows XSS by improper neutralization of HTML sanitization - CVE-2024-56510
- Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
- Tags:
- npm
- nanoid
Anything's wrong? Let us know Last updated on January 27, 2023