GHSA-2HFW-W739-P7X5

Vulnerability from github – Published: 2024-06-04 17:49 – Updated: 2026-02-02 22:27
VLAI?
Summary
Duplicate Advisory: nano-id reduced entropy due to inadequate character set usage
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-9hc7-6w9r-wj94. This link is maintained to preserve external references.

Original Description

Description

Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the nano_id::base62 and nano_id::base58 functions. Specifically, the base62 function used a character set of 32 symbols instead of the intended 62 symbols, and the base58 function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the nano_id::gen macro is also affected when a custom character set that is not a power of 2 in size is specified.

It should be noted that nano_id::base64 is not affected by this vulnerability.

Impact

This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.

Patches

The flaws were corrected in commit a9022772b2f1ce38929b5b81eccc670ac9d3ab23 by updating the the nano_id::gen macro to use all specified characters correctly.

PoC

use std::collections::BTreeSet;

fn main() {
    test_base58();
    test_base62();
}

fn test_base58() {
    let mut produced_symbols = BTreeSet::new();

    for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
        for c in id.chars() {
            produced_symbols.insert(c);
        }
    }

    println!(
        "{} symbols generated from nano_id::base58",
        produced_symbols.len()
    );
}

fn test_base62() {
    let mut produced_symbols = BTreeSet::new();

    for _ in 0..100_000 {
id = "RUSTSEC-2024-0343"
        for c in id.chars() {
            produced_symbols.insert(c);
        }
    }

    println!(
        "{} symbols generated from nano_id::base62",
        produced_symbols.len()
    );
}
Severity ?
9.4 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "nano-id"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-331"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-04T17:49:18Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9hc7-6w9r-wj94. This link is maintained to preserve external references.\n\n## Original Description\n## Description\n\nAffected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.\n\nIt should be noted that `nano_id::base64` is not affected by this vulnerability.\n\n## Impact\n\nThis can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.\n\n## Patches\n\nThe flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly.\n\n## PoC\n\n```rust\nuse std::collections::BTreeSet;\n\nfn main() {\n    test_base58();\n    test_base62();\n}\n\nfn test_base58() {\n    let mut produced_symbols = BTreeSet::new();\n\n    for _ in 0..100_000 {\nid = \"RUSTSEC-2024-0343\"\n        for c in id.chars() {\n            produced_symbols.insert(c);\n        }\n    }\n\n    println!(\n        \"{} symbols generated from nano_id::base58\",\n        produced_symbols.len()\n    );\n}\n\nfn test_base62() {\n    let mut produced_symbols = BTreeSet::new();\n\n    for _ in 0..100_000 {\nid = \"RUSTSEC-2024-0343\"\n        for c in id.chars() {\n            produced_symbols.insert(c);\n        }\n    }\n\n    println!(\n        \"{} symbols generated from nano_id::base62\",\n        produced_symbols.len()\n    );\n}\n```",
  "id": "GHSA-2hfw-w739-p7x5",
  "modified": "2026-02-02T22:27:07Z",
  "published": "2024-06-04T17:49:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/viz-rs/nano-id"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0343.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Duplicate Advisory: nano-id reduced entropy due to inadequate character set usage",
  "withdrawn": "2026-02-02T22:27:07Z"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.