logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-2hfw-w739-p7x5 nano-id

Package

Manager: cargo
Name: nano-id
Vulnerable Version: >=0 <0.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

nano-id reduced entropy due to inadequate character set usage ## Description Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. ## Impact This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. ## Patches The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly. ## PoC ```rust use std::collections::BTreeSet; fn main() { test_base58(); test_base62(); } fn test_base58() { let mut produced_symbols = BTreeSet::new(); for _ in 0..100_000 { id = "RUSTSEC-2024-0343" for c in id.chars() { produced_symbols.insert(c); } } println!( "{} symbols generated from nano_id::base58", produced_symbols.len() ); } fn test_base62() { let mut produced_symbols = BTreeSet::new(); for _ in 0..100_000 { id = "RUSTSEC-2024-0343" for c in id.chars() { produced_symbols.insert(c); } } println!( "{} symbols generated from nano_id::base62", produced_symbols.len() ); } ```

Metadata

Created: 2024-06-04T17:49:18Z
Modified: 2024-06-17T15:08:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-2hfw-w739-p7x5/GHSA-2hfw-w739-p7x5.json
CWE IDs: ["CWE-331"]
Alternative ID: N/A
Finding: F034
Auto approve: 1