PT-2025-32009 · Vision Ui+1 · Vision Ui+1
Davidosipov
·
Published
2025-08-05
·
Updated
2025-08-06
·
CVE-2025-54884
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Vision UI versions 1.4.0 and below
Description
The
generateSecureId and getSecureRandomInt functions within the security-kit component (versions prior to 3.5.0, packaged in Vision UI 1.4.0 and below) are susceptible to Denial of Service (DoS) attacks. The generateSecureId(length) function directly utilizes the length parameter to determine the size of a Uint8Array buffer. This allows attackers to deplete server memory by repeatedly requesting large IDs. The getSecureRandomInt(min, max) function calculates buffer size based on the range between min and max, and large ranges can lead to excessive memory allocation and CPU-intensive rejection-sampling loops, potentially causing thread hangs.Recommendations
Update to Vision UI version 1.5.0 or later.
Update the
security-kit component to version 3.5.0 or later.Exploit
Fix
Resource Exhaustion
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vision Ui
Security-Kit