Mondoo

Vulnerability Management
Technology
Services

Solutions

Financial Services
Manufacturing
Healthcare

Resources

Blog
Vulnerability Database
Documentation
GitHub

Company

About
Careers
Partners
Contact

Legal

Privacy
Terms
Imprint

CVE-2021-23566 | Mondoo Vulnerability Intelligence

Vulnerability IntelligenceCVE-2021-23566

CVE-2021-23566

MEDIUM4.0

Information Exposure

Published Jan 14, 2022

Modified 6 months ago

Details

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

References

WEB

https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444

WEB

https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575

WEB

https://github.com/ai/nanoid/pull/328

WEB

https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html

WEB

https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html

WEB

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550

WEB

https://snyk.io/vuln/SNYK-JS-NANOID-2332193

ADVISORY

https://www.cve.org/CVERecord?id=CVE-2021-23566

CVSS Analysis

CVSS v3.1

4.0

Exploitability

Attack Vector

LocalAV:L

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

LowC:L

Integrity

NoneI:N

Availability

NoneA:N

4/CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Ecosystems

Timeline

PublishedJan 14, 2022

ModifiedNov 3, 2025