CVE-2025-54884
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-06

Last updated on: 2025-08-06

Assigner: GitHub, Inc.

Description
Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the generateSecureId and getSecureRandomInt functions in security-kit versions prior to 3.5.0 (packaged in Vision UI 1.4.0 and below) are vulnerable to Denial of Service (DoS) attacks. The generateSecureId(length) function directly used the length parameter to size a Uint8Array buffer, allowing attackers to exhaust server memory through repeated requests for large IDs since the previous 1024 limit was insufficient. The getSecureRandomInt(min, max) function calculated buffer size based on the range between min and max, where large ranges caused excessive memory allocation and CPU-intensive rejection-sampling loops that could hang the thread. This issue is fixed in version 1.5.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-06
Last Modified
2025-08-06
Generated
2026-05-07
AI Q&A
2025-08-06
EPSS Evaluated
2026-05-05
NVD
CVE-2025-54884
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
david_osipov security-kit.js 3.0.0
david_osipov security-kit.js 3.5.0
david_osipov security-kit.js 3.4.0
david_osipov vision_ui 1.4.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Vision UI versions 1.4.0 and below, specifically in the generateSecureId and getSecureRandomInt functions of the security-kit module. The generateSecureId function uses the length parameter directly to allocate a Uint8Array buffer, allowing attackers to request very large IDs repeatedly, which can exhaust server memory. The getSecureRandomInt function allocates memory based on the range between min and max parameters, and large ranges cause excessive memory allocation and CPU-intensive loops that can hang the server thread. These issues can lead to Denial of Service (DoS) attacks. The vulnerability is fixed in version 1.5.0.


How can this vulnerability impact me? :

This vulnerability can impact you by allowing attackers to perform Denial of Service (DoS) attacks against your server. By exploiting the way memory is allocated in the generateSecureId and getSecureRandomInt functions, attackers can cause excessive memory consumption and CPU usage, potentially making your server unresponsive or crashing it, leading to service downtime.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Vision UI and security-kit to version 1.5.0 or later, where the vulnerability is fixed. Until then, limit or block requests that attempt to generate very large IDs or use large ranges in getSecureRandomInt to prevent excessive memory allocation and CPU usage.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart