CVE-2024-36400

Name of the Vulnerable Software and Affected Versions nano-id versions prior to 0.4.0

Description Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the nano id::base62 and nano id::base58 functions. Specifically, the base62 function used a character set of 32 symbols instead of the intended 62 symbols, and the base58 function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the nano id::gen macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that nano id::base64 is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.

Recommendations To resolve the issue, update to version 0.4.0 or later, as the vulnerability is fixed in this version. As a temporary workaround, consider avoiding the use of nano id::base62 and nano id::base58 functions until a patch is available. Restrict access to security-sensitive contexts where the generated IDs are used to minimize the risk of exploitation.