Executive Summary

CVE-2026-41988 is a vulnerability in the uuid npm package versions up to 13.0.0 affecting UUID generation functions for versions 3, 5, and 6. These functions accept external output buffers and an offset parameter but do not properly check if the buffer is large enough to safely write the UUID data.

Unlike UUID versions 1, 4, and 7, which throw an error if the buffer size or offset is invalid, versions 3, 5, and 6 silently allow out-of-range writes. This can cause partial or malformed UUIDs to be written into the buffer without any error notification.

The root cause is missing bounds checking on buffer writes, which can lead to unexpected writes outside the intended buffer area when using external buffers with certain UUID versions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability primarily impacts the integrity and robustness of applications using the affected UUID functions with external buffers. Applications may unknowingly process corrupted, truncated, or stale UUIDs due to silent partial writes.

If buffer sizes or offsets are influenced by external input, this flaw could escalate into a security-relevant logic error, potentially causing unexpected behavior or data corruption.

However, the vulnerability does not affect UUID version 4, which is very commonly used, and the overall severity is rated as moderate.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects the uuid npm package versions up to 13.0.0, specifically in UUID generation functions v3, v5, and v6 when external output buffers are used without proper bounds checking.

To detect if your system is affected, you should check the version of the uuid package installed in your environment.

• Run the command `npm list uuid` or `npm ls uuid` in your project directory to see the installed version.
• If the version is 13.0.0 or earlier, your system is potentially vulnerable.

Additionally, you can audit your codebase or dependencies for usage of UUID versions 3, 5, or 6 with external buffers and offsets, as these are the affected functions.

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to update the uuid package to a version that includes the fix for this vulnerability.

• Upgrade uuid to a version later than 13.0.0 where explicit bounds checking is implemented, which throws a RangeError on invalid buffer offsets or sizes.
• Ensure your code handles or catches RangeErrors when generating UUIDs with external buffers.

If upgrading immediately is not possible, review and audit your code to avoid using UUID versions 3, 5, or 6 with external buffers and offsets, or implement manual bounds checking before calling these functions.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in the uuid package causes unexpected writes to external output buffers when generating UUID versions 3, 5, or 6, potentially resulting in malformed or partial UUIDs without error notification.

This issue primarily impacts data integrity and robustness, as applications relying on complete and correct UUIDs may unknowingly process corrupted identifiers.

However, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0