nanoid is vulnerable to Denial of Service (DoS)
45
Medium Risk
The internal fillPool helper sizes a random-byte pool directly from the requested ID length and computes Buffer.allocUnsafe(bytes * POOL_SIZE_MULTIPLIER) without validating an upper bound. When code passes an excessively large or negative size to nanoid or random, this drives an oversized memory allocation that throws or exhausts memory and can crash the process. Applications that derive the requested ID length from untrusted input are exposed to a denial-of-service condition. The fix makes fillPool throw a RangeError when the requested size is negative or greater than 1024.
You are affected if you are using a version that falls within the vulnerable range and your application passes an untrusted or user-controlled size to the ID generator.
nanoid is vulnerable to Denial of Service (DoS) in versions 3.1.16 - 3.3.11 and 4.0.0 - 5.1.10.
Upgrade the nanoid library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant