uuid Buffer Overwrite Vulnerability in Versions Prior to 14.0.0

A vulnerability in the uuid package, affecting versions through 13.0.0, allows for unexpected writes to external output buffers when certain UUID versions are used. This issue arises in UUID versions 3, 5, and 6, while version 4, which is commonly used, remains unaffected. The vulnerability stems from missing bounds checks, enabling silent partial writes into caller-provided buffers. Exploitation could lead to the corruption of UUIDs, causing applications to process malformed or truncated identifiers without any error indication.

Impact

Exploitation of this vulnerability can cause silent partial overwrites in buffers, leading to malformed or truncated UUIDs. In applications that rely on accurate UUIDs, this can create integrity issues by introducing incorrect identifier data. Furthermore, if the vulnerability is exploited in a way that manipulates buffer offsets or sizes, it could result in a broader security-related logic flaw.

Reproduction

The vulnerability can be reproduced by calling UUID versions 3, 5, or 6 with a small buffer or a large offset that exceeds the buffer's length. This can be done using the uuid package in a Node.js environment. The absence of a RangeError, which is thrown by the unaffected version 4, indicates the vulnerability. Additionally, evidence of the partial buffer overwrite can be observed by comparing the expected and actual buffer contents after the UUID function call.

Remediation

Users can upgrade to uuid version 14.0.0 or later, where this vulnerability has been patched.