Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security advisory details for CVE-2024-55565? #512

Open
krassowski opened this issue Dec 9, 2024 · 5 comments
Open

Security advisory details for CVE-2024-55565? #512

krassowski opened this issue Dec 9, 2024 · 5 comments

Comments

@krassowski
Copy link

Hi folks, downstreams started getting notifications about a security issue in nanoid, but it looks like the advisory is pretty bare-bones. Can you please indicate the severity of GHSA-mwcw-c2x4-8c55 ? Thanks!
@krassowski krassowski mentioned this issue Dec 9, 2024
Closed
@Redirts
Copy link

Redirts commented Dec 9, 2024

I am also curious why the vulnerability was fixed in 3.3.8 but v4 did not get the fix (i.e. version 4.0.3)

@ai
Copy link
Owner

ai commented Dec 9, 2024

@Redirts we do not support 4.x. It is pretty easy to migrate from 4.x to 5.x.

Of course, 4.x could be fixed as part of commercial support if some company wants to save money.

@ai
Copy link
Owner

ai commented Dec 9, 2024

@krassowski give them a time. I wrote to CVE publisher about it.

Severity is low. Your app should allow user input as ID size and has not type check for it. I assume that only 1-5 systems will be affected in the world.

@myndzi
Copy link
Contributor

myndzi commented Dec 10, 2024
edited
Loading

I believe @ai meant "should not allow user input", not "should" :)

I don't know who renamed the github advisory to "infinite loop", but that makes the sparse information worse :(

The security case goes something like:

  • Malicious user influences the length argument to nanoid() to be a fractional value (either directly or indirectly, e.g. through prototype pollution)
  • The next so many ids generated will all be the same (some variant of uuuu which is just all zeroes)
  • This can cause collisions or predictable ids, when ids are expected to be unpredictable and not collide
  • The impact kinda depends on what the ids are used for

Depending on which "variant" of the nanoid code is being used, some of them will infinite loop instead, which obviously can be a DOS

If the code is just calling nanoid() or calling it with some constant length value (not influencable), then there's no risk afaik.

@ai
Copy link
Owner

ai commented Dec 10, 2024
edited
Loading

I believe @ai meant "should not allow user input", not "should" :)

Yes. To have an issue you app should allow user input

If the code is just calling nanoid() or calling it with some constant length value (not influencable), then there's no risk afaik.

Yes

I don't know who renamed the github advisory to "infinite loop", but that makes the sparse information worse :(

I asked to change it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ai @myndzi @krassowski @Redirts