CVE-2021-23566
Aliases:GHSA-qrpm-p2h7-hrv2
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 14 Jan 2022, 20:05
Last modified:03 Nov 2025, 21:44
Vulnerability Summary
Overall Risk (default)
medium
32/100 CVSS Score
5.5 MEDIUM
v3.1 (nvd)
EPSS Score
0.03% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
4 found
Dark Web
Not detected
Timeline
14 Jan 2022, 20:05
Published
Vulnerability first disclosed
03 Nov 2025, 21:44
Last Modified
Vulnerability information updated
Description
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
CVSS Metrics
- v3.1•MEDIUM•Score: 4CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P
- v3.1•MEDIUM•Score: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
- v2.0•LOW•Score: 2.1AV:L/AC:L/Au:N/C:P/I:N/A:N
EPSS Trends
Current EPSS score: 0.03%• Percentile: 8%
Techniques & Countermeasures
- CWE-704•Incorrect Type Conversion or Cast
The product does not correctly convert an object, resource, or structure from one type to a different type.
Affected Systems
- nanoid_project•nanoid
≥ 3.0.0, < 3.1.31
- Npm•nanoid
≥ 3.0.0, < 3.1.31
References (9)
- https://snyk.io/vuln/SNYK-JS-NANOID-2332193
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2332550
- https://gist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
- https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575
- https://github.com/ai/nanoid/pull/328
- https://lists.debian.org/debian-lts-announce/2025/01/msg00006.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00025.html
- https://nvd.nist.gov/vuln/detail/CVE-2021-23566
- https://github.com/ai/nanoid