Predictable results in nanoid generation when given non-integer values
- Severity:
- Medium
Description
When nanoid is called with a fractional value, there were a number of undesirable effects:
- in browser and non-secure, the code infinite loops on while (size–)
- in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled 3.
Recommendation
Update the nanoid package to the latest compatible version. Followings are version details:
Affected version(s): **< 3.3.8 >= 4.0.0, < 5.0.9** Patched version(s): **3.3.8 5.0.9**
References
Related Issues
- @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
- matrix-js-sdk will freeze when a user sets a room with itself as a its predecessor - CVE-2024-42369
- Undici vulnerable to data leak when using response.arrayBuffer() - CVE-2024-38372
- webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browse - CVE-2025-30360
You might also like:
- Tags:
- npm
- nanoid
Anything's wrong? Let us know Last updated on November 04, 2025


