Skip to content

fix(deps): update dependency uuid to v11 [security]#4323

Draft
renovate-bot wants to merge 3 commits into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/npm-uuid-vulnerability
Draft

fix(deps): update dependency uuid to v11 [security]#4323
renovate-bot wants to merge 3 commits into
GoogleCloudPlatform:mainfrom
renovate-bot:renovate/npm-uuid-vulnerability

Conversation

@renovate-bot

@renovate-bot renovate-bot commented May 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
uuid ^10.0.0^11.1.1 age confidence
uuid ^8.0.0^11.1.1 age confidence

uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided

CVE-2026-41907 / GHSA-w5hq-g745-h8pq

More information

Details

Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code
  • src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.
Reproducible PoC
cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4() THREW RangeError
  • v5() NO_THROW
  • v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]
Security impact
  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.
Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3() and v5())
  • src/v6.ts

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

uuidjs/uuid (uuid)

v11.1.1

Compare Source

Bug Fixes

v11.1.0

Compare Source

Features
  • update TS types to allowUint8Array subtypes for buffer option (#​865) (a5231e7)

v11.0.5

Compare Source

Bug Fixes

v11.0.4

Compare Source

Bug Fixes

v11.0.3

Compare Source

Bug Fixes

v11.0.2

Compare Source

Bug Fixes

v11.0.1

Compare Source

Bug Fixes

v11.0.0

Compare Source

⚠ BREAKING CHANGES
  • refactor v1 internal state and options logic (#​780)
  • refactor v7 internal state and options logic, fixes #​764 (#​779)
  • Port to TypeScript, closes #​762 (#​763)
  • update node support matrix (only support node 16-20) (#​750)
Features
Bug Fixes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested review from a team as code owners May 24, 2026 15:05
@product-auto-label product-auto-label Bot added samples Issues that are directly related to samples. api: aiplatform Issues related to the AI Platform API. api: appengine Issues related to the App Engine Admin API API. api: auth api: automl Issues related to the AutoML API. api: cloudasset Issues related to the Cloud Asset Inventory API. api: cloudfunctions Issues related to the Cloud Run functions API. api: compute Issues related to the Compute Engine API. api: contactcenterinsights Issues related to the Contact Center AI Insights API. api: containeranalysis Issues related to the Container Analysis API. api: datacatalog Issues related to the Data Catalog API. api: dataproc Issues related to the Managed Service for Apache Spark API. api: datastore Issues related to the Datastore API. api: dialogflow Issues related to the Dialogflow API. api: discoveryengine Issues related to the Discovery Engine API API. labels May 24, 2026
@bhshkh bhshkh assigned pearigee and unassigned bhshkh May 26, 2026
@renovate-bot renovate-bot force-pushed the renovate/npm-uuid-vulnerability branch from cc06e5b to e2583dd Compare May 27, 2026 08:01
@renovate-bot renovate-bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v11 [security] May 27, 2026
@dpebot

dpebot commented May 27, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@pearigee pearigee removed their assignment May 27, 2026
@dpebot

dpebot commented May 27, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/npm-uuid-vulnerability branch from dd30840 to 933c3e9 Compare June 16, 2026 17:41
@dpebot

dpebot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/npm-uuid-vulnerability branch from 933c3e9 to 1aa7604 Compare June 17, 2026 16:55
@renovate-bot renovate-bot changed the title fix(deps): update dependency uuid to v11 [security] fix(deps): update dependency uuid to v14 [security] Jun 17, 2026
@dpebot

dpebot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@angelcaamal

angelcaamal commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

The current version (14.0.0) is a pure ESM package and is not compatible with require(). Version 11.1.1 is recommended because it maintains support for require() (CommonJS) and successfully addresses the vulnerabilities reported in older 10.x versions.

@renovate-bot renovate-bot force-pushed the renovate/npm-uuid-vulnerability branch from 1aa7604 to 86f9aa6 Compare June 18, 2026 18:48
@dpebot

dpebot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/npm-uuid-vulnerability branch from 86f9aa6 to 6ddd5d3 Compare June 18, 2026 18:57
@dpebot

dpebot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@renovate-bot renovate-bot force-pushed the renovate/npm-uuid-vulnerability branch from 6ddd5d3 to 0c63029 Compare June 18, 2026 19:06
@renovate-bot renovate-bot changed the title fix(deps): update dependency uuid to v14 [security] fix(deps): update dependency uuid to v11 [security] Jun 18, 2026
@dpebot

dpebot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@dpebot

dpebot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@dpebot

dpebot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

/gcbrun

@angelcaamal angelcaamal marked this pull request as draft June 22, 2026 17:54
@angelcaamal

angelcaamal commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

To handle this package update, more narrowly scoped PRs are being created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danieljbruce danieljbruce danieljbruce approved these changes

@feywind feywind feywind approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@danieljbruce danieljbruce

Labels

actions:force-run api: aiplatform Issues related to the AI Platform API. api: appengine Issues related to the App Engine Admin API API. api: auth api: automl Issues related to the AutoML API. api: cloudasset Issues related to the Cloud Asset Inventory API. api: cloudfunctions Issues related to the Cloud Run functions API. api: compute Issues related to the Compute Engine API. api: contactcenterinsights Issues related to the Contact Center AI Insights API. api: containeranalysis Issues related to the Container Analysis API. api: datacatalog Issues related to the Data Catalog API. api: dataproc Issues related to the Managed Service for Apache Spark API. api: datastore Issues related to the Datastore API. api: dialogflow Issues related to the Dialogflow API. api: discoveryengine Issues related to the Discovery Engine API API. api: dlp Issues related to the Sensitive Data Protection API. api: documentai Issues related to the Document AI API. api: eventarc Issues related to the Eventarc API. api: genai api: language Issues related to the Cloud Natural Language API API. api: tasks Issues related to the Tasks API API. asset: pattern DEE Asset tagging - Pattern. kokoro:force-run Add this label to force Kokoro to re-run the tests. major samples Issues that are directly related to samples.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@renovate-bot @dpebot @angelcaamal @danieljbruce @feywind @bhshkh @pearigee