DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-41907: CVE-2026-41907: Out-of-Bounds Write in uuid npm Package via Missing Boundary Checks

#security #cve #cybersecurity

CVE-2026-41907: Out-of-Bounds Write in uuid npm Package via Missing Boundary Checks

Vulnerability ID: CVE-2026-41907
CVSS Score: 8.1
Published: 2026-04-24

The widely used uuid npm package suffers from an out-of-bounds write vulnerability in its v3, v5, and v6 generation functions. By passing an improperly sized buffer or offset, attackers can cause silent partial writes, leading to data corruption and application logic flaws.

TL;DR

CVE-2026-41907 is an out-of-bounds write vulnerability affecting the uuid JavaScript library prior to version 14.0.0. Missing buffer boundary validations in the v3, v5, and v6 UUID functions allow truncation of generated identifiers without triggering exceptions, enabling data integrity degradation and potential application-level exploitation.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-787
  • Attack Vector: Network (Application Context)
  • CVSS Score: 8.1
  • EPSS Score: 0.00055
  • Exploit Status: Proof of Concept
  • KEV Listed: False

Affected Systems

  • Node.js applications dependent on the uuid npm package
  • Client-side JavaScript relying on batch UUID generation using buffers
  • uuid: < 14.0.0 (Fixed in: 14.0.0)
  • uuid: >= 13.0.0, < 13.0.1 (Fixed in: 13.0.1)
  • uuid: >= 12.0.0, < 12.0.1 (Fixed in: 12.0.1)
  • uuid: >= 11.0.0, < 11.1.1 (Fixed in: 11.1.1)

Code Analysis

Commit: 3d2c5b0

Fix out-of-bounds write in v3, v5, and v6

Commit: e5424b6

Backport fix for out-of-bounds write to 13.x

Commit: f276031

Backport fix for out-of-bounds write to 12.x

Commit: 7269a96

Backport fix for out-of-bounds write to 11.x

Mitigation Strategies

  • Upgrade to uuid version 14.0.0 or apply the corresponding legacy backport.
  • Implement application-level boundary checks before passing buffers to uuid functions.
  • Deploy static analysis (Semgrep/ESLint) to detect manual buffer assignments to uuid routines.

Remediation Steps:

  1. Identify all internal projects utilizing the uuid npm package.
  2. Update package dependencies in package.json to require >=14.0.0, or >=13.0.1 for 13.x users.
  3. Execute npm audit or equivalent dependency scanners to confirm the vulnerable component is replaced.
  4. Review custom buffer offset logic in batch-processing services generating UUIDs.

References

Read the full report for CVE-2026-41907 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)