uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided

Description

uuid is for the creation of RFC9562 (formerly RFC4122) UUIDs. Prior to 14.0.0, v3, v5, and v6 accept external output buffers but do not reject out-of-range writes (small buf or large offset). This allows silent partial writes into caller-provided buffers. This vulnerability is fixed in 14.0.0.

Affected Products

Vendor	Product	Versions
uuid	uuid	npm/uuid: >= 12.0.0, < 12.0.1, npm/uuid: >= 13.0.0, < 13.0.1, npm/uuid: < 11.1.1

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
ibm	app connect enterprise	cert_advisory	90%
npm	uuid	GHSA	85%

References

https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq(x_refsource_CONFIRM)

Related News (3 articles)

Tier B

BSI Advisories1h ago

[NEU] [mittel] IBM App Connect Enterprise: Mehrere Schwachstellen ermöglichen Manipulation von Daten

→ No new info (linked only)

Tier A

Microsoft MSRC64d ago

CVE-2026-41907 uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided

→ No new info (linked only)

Tier C

VulDB65d ago

CVE-2026-41907 | uuidjs uuid up to 13.x out-of-range pointer offset

→ No new info (linked only)

uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided

Description

Affected Products

Also Affects

References

Related News (3 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History