Predictable results in nanoid generation when given non-integer values

Description

When nanoid is called with a fractional value, there were a number of undesirable effects:

1. in browser and non-secure, the code infinite loops on while (size–)
2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled 3.

Recommendation

Update the nanoid package to the latest compatible version. Followings are version details:

• Affected version(s): **< 3.3.8

  >= 4.0.0, < 5.0.9**

• Patched version(s): **3.3.8

  5.0.9**

References

• GHSA-mwcw-c2x4-8c55
• lists.debian.org
• CVE-2024-55565
• CWE-835
• CAPEC-310
• OWASP 2021-A6

Related Issues

• webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle - CVE-2024-43373
• @hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
• ws affected by a DoS when handling a request with many HTTP headers - CVE-2024-37890
• Undici vulnerable to data leak when using response.arrayBuffer() - CVE-2024-38372

Tags:

npm

nanoid