Fluid Attacks Database

Description

Exposure of Sensitive Information to an Unauthorized Actor in nanoid The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	nanoid	>=3.0.0 <3.1.31	3.1.31
debian 12	node-postcss	>=0 <8.4.5+~cs7.1.51-1	8.4.5+~cs7.1.51-1
debian 12	node-mocha	>=0 <9.1.4+ds1+~cs28.2.8-1	9.1.4+ds1+~cs28.2.8-1
debian 13	node-postcss	>=0 <8.4.5+~cs7.1.51-1	8.4.5+~cs7.1.51-1
debian 11	node-mocha	=8.2.1+ds1+~cs29.4.27-3 \|\| >=0 <8.2.1+ds1+~cs29.4.27-3+deb11u1	8.2.1+ds1+~cs29.4.27-3+deb11u1
debian 13	node-mocha	>=0 <9.1.4+ds1+~cs28.2.8-1	9.1.4+ds1+~cs28.2.8-1
debian 14	node-mocha	>=0 <9.1.4+ds1+~cs28.2.8-1	9.1.4+ds1+~cs28.2.8-1
debian 11	node-postcss	=8.2.1+~cs5.3.23-8 \|\| >=0 <8.2.1+~cs5.3.23-8+deb11u1	8.2.1+~cs5.3.23-8+deb11u1
debian 14	node-postcss	>=0 <8.4.5+~cs7.1.51-1	8.4.5+~cs7.1.51-1

Aliases

1. CVE-2021-235662. NVD-2021-235663. OSV-2021-235664. OSV-DEBIAN-2021-235665. GCVE-2021-235666. lists.debian.org7. lists.debian.org8. SECURITY-TRACKER-CVE-2021-23566

References

1. https://github.com/ai/nanoid/pull/3282. https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db25753. https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.