CVE-2026-41907

HIGH

uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided

Title source: cna

Description

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq

Scores

CVSS v3 7.5

EPSS 0.0031

EPSS Percentile 22.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-787 CWE-823

Status published

Products (7)

npm/uuid 0 - 11.1.1npm

npm/uuid 12.0.0 - 12.0.1npm

npm/uuid 13.0.0 - 13.0.1npm

uuidjs/uuid 12.0.0

uuidjs/uuid 13.0.0

uuidjs/uuid < 11.1.1

uuidjs/uuid < 14.0.0

Published Apr 24, 2026

Tracked Since Apr 24, 2026