Common Weakness Enumeration

CWE-1285

Allowed

Improper Validation of Specified Index, Position, or Offset in Input

Abstraction: Base · Status: Incomplete

The product receives input that is expected to specify an index, position, or offset into an indexable resource such as a buffer or file, but it does not validate or incorrectly validates that the specified index/position/offset has the required properties.

95 vulnerabilities reference this CWE, most recent first.

GHSA-W5HQ-G745-H8PQ

Vulnerability from github – Published: 2026-04-22 20:53 – Updated: 2026-05-21 18:25
VLAI
Summary
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
Details

Summary

The v3(), v5(), and v6() API methods (not uuid release versions) accept external output buffers but do not reject out-of-range writes (small buf or large offset).
By contrast, v4(), v1(), and v7() API methods explicitly throw RangeError on invalid bounds.

This inconsistency allows silent partial writes into caller-provided buffers.

Affected code

  • src/v35.ts (v3()/v5() path) writes buf[offset + i] without bounds validation.
  • src/v6.ts writes buf[offset + i] without bounds validation.

Reproducible PoC

cd /home/StrawHat/uuid
npm ci
npm run build

node --input-type=module -e "
import {v4,v5,v6} from './dist-node/index.js';
const ns='6ba7b810-9dad-11d1-80b4-00c04fd430c8';
for (const [name,fn] of [
  ['v4()',()=>v4({},new Uint8Array(8),4)],
  ['v5()',()=>v5('x',ns,new Uint8Array(8),4)],
  ['v6()',()=>v6({},new Uint8Array(8),4)],
]) {
  try { fn(); console.log(name,'NO_THROW'); }
  catch(e){ console.log(name,'THREW',e.name); }
}"

Observed:

  • v4() THREW RangeError
  • v5() NO_THROW
  • v6() NO_THROW

Example partial overwrite evidence captured during audit:

same true buf [
  170, 170, 170, 170,
   75, 224, 100,  63
]
v6 [
  187, 187, 187, 187,
   31,  19, 185,  64
]

Security impact

  • Primary: integrity/robustness issue (silent partial output).
  • If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.
  • In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.

Suggested fix

Add the same guard used by v4()/v1()/v7():

if (offset < 0 || offset + 16 > buf.length) {
  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);
}

Apply to:

  • src/v35.ts (covers v3() and v5())
  • src/v6.ts
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "uuid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "uuid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "uuid"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "13.0.0"
            },
            {
              "fixed": "13.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41907"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1285",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T20:53:24Z",
    "nvd_published_at": "2026-04-24T19:17:14Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `v3()`, `v5()`, and `v6()` [API methods](https://github.com/uuidjs/uuid#api-summary) (not `uuid` release versions) accept external output buffers but do not reject out-of-range writes (small `buf` or large `offset`).  \nBy contrast, `v4()`, `v1()`, and `v7()` API methods explicitly throw `RangeError` on invalid bounds.\n\nThis inconsistency allows **silent partial writes** into caller-provided buffers.\n\n\n### Affected code\n\n- `src/v35.ts` (`v3()`/`v5()` path) writes `buf[offset + i]` without bounds validation.\n- `src/v6.ts` writes `buf[offset + i]` without bounds validation.\n\n### Reproducible PoC\n\n```bash\ncd /home/StrawHat/uuid\nnpm ci\nnpm run build\n\nnode --input-type=module -e \"\nimport {v4,v5,v6} from \u0027./dist-node/index.js\u0027;\nconst ns=\u00276ba7b810-9dad-11d1-80b4-00c04fd430c8\u0027;\nfor (const [name,fn] of [\n  [\u0027v4()\u0027,()=\u003ev4({},new Uint8Array(8),4)],\n  [\u0027v5()\u0027,()=\u003ev5(\u0027x\u0027,ns,new Uint8Array(8),4)],\n  [\u0027v6()\u0027,()=\u003ev6({},new Uint8Array(8),4)],\n]) {\n  try { fn(); console.log(name,\u0027NO_THROW\u0027); }\n  catch(e){ console.log(name,\u0027THREW\u0027,e.name); }\n}\"\n```\n\nObserved:\n\n- `v4() THREW RangeError`\n- `v5() NO_THROW`\n- `v6() NO_THROW`\n\nExample partial overwrite evidence captured during audit:\n\n```text\nsame true buf [\n  170, 170, 170, 170,\n   75, 224, 100,  63\n]\nv6 [\n  187, 187, 187, 187,\n   31,  19, 185,  64\n]\n```\n\n### Security impact\n\n- **Primary**: integrity/robustness issue (silent partial output).\n- If an application assumes full UUID writes into preallocated buffers, this can produce malformed/truncated/partially stale identifiers without error.\n- In systems where caller-controlled offsets/buffer sizes are exposed indirectly, this may become a security-relevant logic flaw.\n\n### Suggested fix\n\nAdd the same guard used by `v4()`/`v1()`/`v7()`:\n\n```ts\nif (offset \u003c 0 || offset + 16 \u003e buf.length) {\n  throw new RangeError(`UUID byte range ${offset}:${offset + 15} is out of buffer bounds`);\n}\n```\n\nApply to:\n\n- `src/v35.ts` (covers `v3()` and `v5()`)\n- `src/v6.ts`",
  "id": "GHSA-w5hq-g745-h8pq",
  "modified": "2026-05-21T18:25:56Z",
  "published": "2026-04-22T20:53:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41907"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/uuidjs/uuid"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/releases/tag/v11.1.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/releases/tag/v12.0.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/releases/tag/v13.0.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/uuidjs/uuid/releases/tag/v14.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"
}

GHSA-WMRX-6HVM-HG6R

Vulnerability from github – Published: 2023-08-13 12:30 – Updated: 2024-04-04 06:53
VLAI
Details

Vulnerability of input parameters being not strictly verified in the PMS module. Successful exploitation of this vulnerability may cause home screen unavailability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-39388"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-120",
      "CWE-1285",
      "CWE-20"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-08-13T12:15:45Z",
    "severity": "HIGH"
  },
  "details": "Vulnerability of input parameters being not strictly verified in the PMS module. Successful exploitation of this vulnerability may cause home screen unavailability.",
  "id": "GHSA-wmrx-6hvm-hg6r",
  "modified": "2024-04-04T06:53:48Z",
  "published": "2023-08-13T12:30:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39388"
    },
    {
      "type": "WEB",
      "url": "https://consumer.huawei.com/en/support/bulletin/2023/8"
    },
    {
      "type": "WEB",
      "url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202308-0000001667644725"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X24J-XWR5-R3H9

Vulnerability from github – Published: 2026-03-23 15:30 – Updated: 2026-03-23 15:30
VLAI
Details

Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application to read it, causing the application to crash or become unresponsive.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-25625"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1285"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-23T14:16:27Z",
    "severity": "MODERATE"
  },
  "details": "Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application to read it, causing the application to crash or become unresponsive.",
  "id": "GHSA-x24j-xwr5-r3h9",
  "modified": "2026-03-23T15:30:44Z",
  "published": "2026-03-23T15:30:44Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25625"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/46129"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/blob-studio-denial-of-service-via-malformed-input"
    },
    {
      "type": "WEB",
      "url": "http://www.pixarra.com"
    },
    {
      "type": "WEB",
      "url": "http://www.pixarra.com/uploads/9/4/6/3/94635436/tbblobstudio_install.exe"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-XRF2-5R3P-5WGJ

Vulnerability from github – Published: 2026-03-26 17:58 – Updated: 2026-03-26 17:58
VLAI
Summary
libcrux: Panic in Signature Hint Decoding During Verification
Details

During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 HintBitUnpack of FIPS 204, subsection 7.1. The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choice of ML-DSA parameter set (line 4).

In libcrux-ml-dsa, hint decoding did not check the boundedness of the cumulative hint counter of the last row of the hint vector.

Impact

A manipulated invalid hint can cause an out-of-bounds memory access since the hint decoding logic may attempt to read outside the bounds of the serialized signature, causing a runtime panic.

Mitigation

Starting from version 0.0.8, hint decoding will check the cumulative hint counter of the last row as well.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "libcrux-ml-dsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-125",
      "CWE-1285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-26T17:58:16Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 `HintBitUnpack` of [FIPS 204, subsection 7.1](https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf#%5B%7B%22num%22%3A120%2C%22gen%22%3A0%7D%2C%7B%22name%22%3A%22FitH%22%7D%2C657%5D). The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choice of ML-DSA parameter set (line 4).\n\nIn libcrux-ml-dsa, hint decoding did not check the boundedness of the cumulative hint counter of the last row of the hint vector.\n\n## Impact\nA manipulated invalid hint can cause an out-of-bounds memory access since the hint decoding logic may attempt to read outside the bounds of the serialized signature, causing a runtime panic.\n\n## Mitigation\nStarting from version `0.0.8`, hint decoding will check the cumulative hint counter of the last row as well.",
  "id": "GHSA-xrf2-5r3p-5wgj",
  "modified": "2026-03-26T17:58:16Z",
  "published": "2026-03-26T17:58:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cryspen/libcrux/pull/1348"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cryspen/libcrux"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2026-0076.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "libcrux: Panic in Signature Hint Decoding During Verification"
}

GHSA-XWV5-74WF-VR6H

Vulnerability from github – Published: 2025-09-02 21:30 – Updated: 2025-09-02 21:30
VLAI
Details

There is an out of bounds write vulnerability due to improper bounds checking resulting in an invalid address when parsing a DSB file with Digilent DASYLab. This vulnerability may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted DSB file. The vulnerability affects all versions of DASYLab.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-57776"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1285",
      "CWE-787"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-02T19:15:32Z",
    "severity": "HIGH"
  },
  "details": "There is an out of bounds write vulnerability due to improper bounds checking resulting in an invalid address when parsing a DSB file with Digilent DASYLab.  This vulnerability may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted DSB file.  The vulnerability affects all versions of DASYLab.",
  "id": "GHSA-xwv5-74wf-vr6h",
  "modified": "2025-09-02T21:30:58Z",
  "published": "2025-09-02T21:30:58Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-57776"
    },
    {
      "type": "WEB",
      "url": "https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/memory-corruption-vulnerabilities-in-digilent-dasylab.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.

No CAPEC attack patterns related to this CWE.