Vulnerability Description
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
CVSS Score
4.0
MEDIUM
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nanoid Project | Nanoid | >= 3.0.0, < 3.1.31 |
Related Weaknesses (CWE)
References
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444ExploitThird Party Advisory
- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575PatchThird Party Advisory
- https://github.com/ai/nanoid/pull/328ExploitIssue TrackingPatch
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193ExploitThird Party Advisory
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444ExploitThird Party Advisory
- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575PatchThird Party Advisory
- https://github.com/ai/nanoid/pull/328ExploitIssue TrackingPatch
- https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html
- https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550ExploitThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193ExploitThird Party Advisory
FAQ
What is CVE-2021-23566?
CVE-2021-23566 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
How severe is CVE-2021-23566?
CVE-2021-23566 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-23566?
Check the references section above for vendor advisories and patch information. Affected products include: Nanoid Project Nanoid.