{"ecosystem":"npm","package":"nanoid","version":null,"bugs":[{"id":327,"ecosystem":"npm","package_name":"nanoid","affected_version":"3.0.0","fixed_version":"3.1.31","bug_id":"osv:GHSA-qrpm-p2h7-hrv2","title":"Exposure of Sensitive Information to an Unauthorized Actor in nanoid","description":"The package nanoid from 3.0.0, before 3.1.31, are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-23566","labels":["CVE-2021-23566"],"created_at":"2026-04-19 04:31:15.857300+00:00","updated_at":"2026-04-19 04:31:15.857300+00:00"},{"id":326,"ecosystem":"npm","package_name":"nanoid","affected_version":"4.0.0","fixed_version":"5.0.9","bug_id":"osv:GHSA-mwcw-c2x4-8c55","title":"Predictable results in nanoid generation when given non-integer values","description":"When nanoid is called with a fractional value, there were a number of undesirable effects:\n\n1. in browser and non-secure, the code infinite loops on while (size--)\n2. in node, the value of poolOffset becomes fractional, causing calls to nanoid to return zeroes until the pool is next filled\n3. if the first call in node is a fractional argument, the initial buffer allocation fails with an error\n\nVersion 3.3.8 and 5.0.9 are fixed.","severity":"medium","status":"fixed","source":"osv","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-55565","labels":["CVE-2024-55565"],"created_at":"2026-04-19 04:31:15.856155+00:00","updated_at":"2026-04-19 04:31:15.856155+00:00"}],"total":2,"_cache":"hit"}