#VU102463 Infinite loop in nanoid - CVE-2024-55565


| Updated: 2025-03-13

Vulnerability identifier: #VU102463

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-55565

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
nanoid
Web applications / Modules and components for CMS

Vendor: Andrey Sitnik

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote user can consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

nanoid: 3.0.0 - 5.0.8

External links
https://github.com/ai/nanoid/compare/3.3.7...3.3.8
https://github.com/ai/nanoid/pull/510
https://github.com/ai/nanoid/releases/tag/5.0.9
https://github.com/advisories/GHSA-mwcw-c2x4-8c55

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Software Support app (Android)
Fedora 42 update for qgis
Fedora 41 update for qgis
IBM App Connect Enterprise Certified Container update for nanoid (aka Nano ID)
Multiple vulnerabilities in OpenShift Data Foundation (formerly OpenShift Container Storage) 4.18
IBM Watson Discovery for IBM Cloud Pak for Data update for nanoid (aka Nano ID)
Multiple vulnerabilities in IBM Event Endpoint Management
Multiple vulnerabilities in Red Hat OpenShift Container Platform 4.17
Multiple vulnerabilities in OpenShift Service Mesh 2.5
Multiple vulnerabilities in Red Hat OpenShift Dev Spaces 3.18