Nanoid · Nanoid · CVE-2024-55565
**Name of the Vulnerable Software and Affected Versions**
nanoid versions prior to 5.0.9
nanoid version 3.3.8 is a fixed version, implying versions prior to 3.3.8 are also affected, but since 3.3.8 is mentioned as a fixed version, it indicates that versions before 3.3.8 and between 3.3.8 and 5.0.9 are vulnerable. However, to consolidate the information correctly based on the provided instructions:
nanoid versions prior to 5.0.9
**Description**
The issue concerns the mishandling of non-integer values by nanoid. When called with a fractional value, it can cause several undesirable effects, including infinite loops in browser and non-secure environments, and in Node, it can cause the poolOffset to become fractional, leading to nanoid returning zeroes until the pool is next filled. Additionally, if the first call in Node is a fractional argument, the initial buffer allocation fails with an error.
**Recommendations**
For versions prior to 5.0.9, update to version 5.0.9 or later to resolve the issue.
For versions prior to 3.3.8, update to version 3.3.8 or later to resolve the issue.
As a temporary workaround, consider avoiding the use of fractional values with nanoid until a patch is applied.