Intel

AIKIDO-2026-712572

nanoid is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Yesterday

45

Medium Risk

This Affects:

JSnanoid
3.1.16 - 3.3.11
Fixed in 3.3.12
4.0.0 - 5.1.10
Fixed in 5.1.11
Are you affected? Scan for Free

TL;DR

The internal fillPool helper sizes a random-byte pool directly from the requested ID length and computes Buffer.allocUnsafe(bytes * POOL_SIZE_MULTIPLIER) without validating an upper bound. When code passes an excessively large or negative size to nanoid or random, this drives an oversized memory allocation that throws or exhausts memory and can crash the process. Applications that derive the requested ID length from untrusted input are exposed to a denial-of-service condition. The fix makes fillPool throw a RangeError when the requested size is negative or greater than 1024.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application passes an untrusted or user-controlled size to the ID generator.

Background info

nanoid is vulnerable to Denial of Service (DoS) in versions 3.1.16 - 3.3.11 and 4.0.0 - 5.1.10.

How to fix this

Upgrade the nanoid library to the patch version.