Description
uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Published: 2026-04-24
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

uuidjs's uuid library was vulnerable prior to version 14.0.0 because the v3, v5, and v6 functions accepted caller-supplied output buffers without validating bounds. When a small buffer or an excessively large offset is used, the library performs silent partial writes into that buffer. This unchecked memory write can corrupt arbitrary data and, if the buffer contains executable or control data, can be leveraged to achieve arbitrary code execution. The weakness corresponds to CWE-787 (Unchecked Buffer Copy) and CWE-823 (Improper Output Check).

Affected Systems

The vulnerable product is uuidjs:uuid, an open-source Node.js library used for UUID generation. All releases before 14.0.0 are affected whenever the v3, v5, or v6 functions are invoked with a caller-provided buffer. Only this specific buffer-accepting code path is impacted; other parts of the library remain unchanged.

Risk and Exploitability

The public CVSS score is 8.1, reflecting high severity. An EPSS score of less than 1% indicates a very low, yet non-zero, probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Exploitability requires an adversary to feed a malicious buffer or manipulate the buffer offset in the UUID generation routine. While the attack vector is typically local to the application, it could be remote if the application exposes input that influences the buffer size or contents. The silent memory corruption could lead to data integrity breach, potential code execution, or denial of service.

Generated by OpenCVE AI on April 28, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uuidjs:uuid to version 14.0.0 or later, which includes proper bounds checking for the affected functions.
  • Audit all instances where a caller-supplied buffer is passed to uuid.v3, uuid.v5, or uuid.v6 and add explicit length validation or reject calls that use a buffer smaller than the expected size.
  • If an immediate upgrade is not possible, replace calls that supply an external buffer with the library’s default allocation, thereby removing the risk of out-of-range writes until the official patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5hq-g745-h8pq uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
History

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:uuidjs:uuid:*:*:*:*:*:node.js:*:*
cpe:2.3:a:uuidjs:uuid:12.0.0:*:*:*:*:node.js:*:*
cpe:2.3:a:uuidjs:uuid:13.0.0:*:*:*:*:node.js:*:*
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Fri, 08 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L'}

threat_severity

Moderate

Mon, 27 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Uuidjs
Uuidjs uuid
Vendors & Products Uuidjs
Uuidjs uuid

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.
Title uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided
Weaknesses CWE-787
CWE-823
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Uuidjs Uuid
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T13:35:34.363Z

Reserved: 2026-04-22T15:11:54.673Z

Link: CVE-2026-41907

cve-icon Vulnrichment

Updated: 2026-04-27T13:13:52.388Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T19:17:14.490

Modified: 2026-05-11T13:53:19.343

Link: CVE-2026-41907

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-24T18:09:24Z

Links: CVE-2026-41907 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T06:00:09Z

Weaknesses