Vision UI Denial-of-Service Vulnerability in Security Kit
Vulnerability
A denial-of-service vulnerability has been identified in Vision UI versions through 1.4.0, specifically within the security-kit module versions prior to 3.5.0. The issue arises in the generateSecureId and getSecureRandomInt functions, which are susceptible to uncontrolled resource allocation. The generateSecureId function allowed attackers to exhaust server memory by requesting large IDs, as it directly used the length parameter to size a buffer without adequate limits. Similarly, the getSecureRandomInt function could cause excessive memory use and CPU load by allocating large buffers based on wide numerical ranges, leading to performance degradation and application unresponsiveness.
Impact
Exploitation of this vulnerability could cause the application to become unresponsive, disrupting service for legitimate users.
Remediation
Users are advised to upgrade to Vision UI version 1.5.0, which includes the necessary fixes. Instructions for upgrading can be found in the release notes on the Vision UI GitHub repository.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.