Skip to content

Pin transitive uuid to 11.1.1 to remediate GHSA-w5hq-g745-h8pq#54

Merged
mageroni merged 2 commits into
mainfrom
copilot/fix-uuid-buffer-bounds-check
Jul 8, 2026
Merged

Pin transitive uuid to 11.1.1 to remediate GHSA-w5hq-g745-h8pq#54
mageroni merged 2 commits into
mainfrom
copilot/fix-uuid-buffer-bounds-check

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

uuid@8.3.2 was present transitively and is affected by GHSA-w5hq-g745-h8pq / CVE-2026-41907 (v3/v5/v6 can perform out-of-bounds partial buffer writes). This change moves resolution to the minimum patched version (11.1.1) with the smallest possible dependency-scope update.

  • Dependency remediation

    • Added an npm override to force uuid to 11.1.1 (patched baseline).
    • Regenerated lockfile so the transitive install no longer resolves uuid@8.3.2.
  • Lockfile impact

    • package-lock.json now resolves node_modules/uuid to 11.1.1.
    • No other direct dependency migrations were introduced.
  • Reachability Assessment

    • Advisory targets uuid APIs v3(), v5(), and v6() with external buffer usage.
    • Repository search found no direct uuid imports and no call sites of v3/v5/v6.
    • Exposure appears transitive-only (applicationinsights chain), so this is primarily scanner/risk-hardening remediation rather than a confirmed active code path.
    • Confidence: High (named vulnerable APIs + no matching call sites in repo).
{
  "overrides": {
    "protobufjs": "8.6.3",
    "uuid": "11.1.1"
  }
}
Original prompt

This section details the Dependabot vulnerability alert you should resolve

<alert_title>uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided</alert_title>
<alert_description>### Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

  • src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4() THREW RangeError
  • v5() NO_THROW
  • v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3() and v5())
  • src/v6.ts</alert_description>

moderate
GHSA-w5hq-g745-h8pq, CVE-2026-41907
uuid
npm
<vulnerable_versions>8.3.2</vulnerable_versions>
<patched_version>11.1.1</patched_version>
<manifest_path>package-lock.json</manifest_path>

https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34 https://github.com/uuidjs/uuid/releases/tag/v14.0.0 https://nvd.nist.gov/vuln/detail/CVE-2026-41907 https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a https://github.com/uuidjs/uuid/releases/tag/v11.1.1 https://github.com/uuidjs/uuid/releases/tag/v12.0.1 https://github.com/uuidjs/uuid/releases/tag/v13.0.1 https://github.com/advisories/GHSA-w5hq-g745-h8pq

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a p...

Copilot AI changed the title [WIP] Fix buffer bounds check in uuid v3/v5/v6 Pin transitive uuid to 11.1.1 to remediate GHSA-w5hq-g745-h8pq Jul 8, 2026
Copilot AI requested a review from mageroni July 8, 2026 14:21
@mageroni mageroni marked this pull request as ready for review July 8, 2026 14:58
Copilot AI review requested due to automatic review settings July 8, 2026 14:58

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins a vulnerable transitive uuid@8.3.2 dependency to the minimum patched baseline (11.1.1) using npm overrides, and updates the lockfile so installs resolve the remediated version. This fits the codebase’s dependency hygiene/security maintenance by addressing a Dependabot alert without migrating direct dependencies.

Changes:

  • Add uuid: 11.1.1 to package.json overrides.
  • Regenerate package-lock.json so node_modules/uuid resolves to 11.1.1 instead of 8.3.2.
Show a summary per file
File Description
package.json Adds an npm override to force uuid to the patched version.
package-lock.json Updates resolved uuid package metadata to 11.1.1 in the lockfile.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread package.json
Comment on lines 35 to 38
"overrides": {
"protobufjs": "8.6.3"
"protobufjs": "8.6.3",
"uuid": "11.1.1"
},
@mageroni mageroni merged commit 9f53637 into main Jul 8, 2026
7 checks passed
@mageroni mageroni deleted the copilot/fix-uuid-buffer-bounds-check branch July 8, 2026 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants