CVE-2021-23566
Information Exposure vulnerability in nanoid (npm)
What is CVE-2021-23566 About?
The `nanoid` package (from 3.0.0, before 3.1.31) has an Information Exposure vulnerability through its `valueOf()` function. This allows attackers to reproduce the last generated ID, potentially bypassing identifiers designed for uniqueness or security. Exploiting this involves calling a specific function after an ID is generated.
Affected Software
Technical Details
The nanoid package, in versions from 3.0.0 up to, but not including, 3.1.31, suffers from an Information Exposure vulnerability related to its valueOf() function. nanoid is designed to create unique, short IDs. However, if the valueOf() function is called on a nanoid instance after an ID has been generated, it may expose internal state, specifically allowing the reproduction of the last generated ID. This undermines the expected unpredictability or uniqueness of the IDs, potentially allowing an attacker to guess subsequent IDs or determine previously generated ones if they can observe an ID and then trigger the valueOf() call. This could lead to collision attacks or the circumvention of security features relying on ID randomness/uniqueness.
What is the Impact of CVE-2021-23566?
Successful exploitation may allow attackers to deduce or reproduce identifiers, potentially leading to collision attacks, bypassing security measures, or unauthorized access.
What is the Exploitability of CVE-2021-23566?
Exploitation complexity is low, as it primarily involves calling the valueOf() function on a nanoid instance after an ID generation. No authentication is required for the attacker to call this function if they have code execution within the application context. This is typically a local vulnerability or an issue within an application's internal logic, rather than a direct remote attack vector. The main prerequisite is that the nanoid package is used, and the valueOf() function is inadvertently called in a way that exposes the last ID. The likelihood of exploitation increases if the application's design allows attacker-controlled code to interact with nanoid instances or if internal application logic inadvertently exposes this behavior. Its impact is highly dependent on what security features rely on nanoid's uniqueness.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23566?
Available Upgrade Options
- nanoid
- >3.0.0, <3.1.31 → Upgrade to 3.1.31
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ai/nanoid
- https://nvd.nist.gov/vuln/detail/CVE-2021-23566
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
- https://github.com/ai/nanoid/pull/328
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
- https://github.com/ai/nanoid/pull/328
- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575
- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550
What are Similar Vulnerabilities to CVE-2021-23566?
Similar Vulnerabilities: CVE-2021-39148 , CVE-2020-28498 , CVE-2018-1000180 , CVE-2020-15093 , CVE-2020-28500
