CVE-2021-23566 — node-mocha - security update

Description

The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.

How to fix CVE-2021-23566

To remediate CVE-2021-23566, upgrade the affected package to a fixed version below.

Debian/node-mocha—upgrade to 8.2.1+ds1+~cs29.4.27-3+deb11u1 or later
—upgrade to 8.2.1+ds1+~cs29.4.27-3+deb11u1 or later
—upgrade to 8.2.1+~cs5.3.23-8+deb11u1 or later
—upgrade to 8.2.1+~cs5.3.23-8+deb11u1 or later
—upgrade to 3.1.31 or later

Is CVE-2021-23566 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 8.2.1+ds1+~cs29.4.27-3+deb11u1
from 0, < 8.2.1+ds1+~cs29.4.27-3+deb11u1
from 0, < 8.2.1+~cs5.3.23-8+deb11u1
from 0, < 8.2.1+~cs5.3.23-8+deb11u1
>= 3.0.0, < 3.1.31

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-23566
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-23566
PATCHgithub.com/ai/nanoid
WEBgist.github.com/artalar/bc6d1eb9a3477d15d2772e876169a444
WEB