CVE-2024-36400
📋 TL;DR
The nano-id Rust crate incorrectly generates IDs with reduced character sets in base62 and base58 functions, significantly lowering entropy. This makes generated IDs predictable and vulnerable to brute-force attacks when used for security-sensitive purposes like session tokens. All applications using affected versions of nano-id for security-critical identifiers are impacted.
💻 Affected Systems
- nano-id Rust crate
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers brute-force session tokens or unique identifiers, leading to account takeover, data breaches, or unauthorized access to sensitive systems.
Likely Case
Predictable IDs enable enumeration attacks against resources protected by these identifiers, potentially exposing user data or allowing unauthorized actions.
If Mitigated
With proper monitoring and short token lifetimes, impact is limited to increased computational costs for attackers, but fundamental vulnerability remains.
🎯 Exploit Status
Exploitation requires only generating IDs and observing patterns; no authentication or special access needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.4.0
Vendor Advisory: https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94
Restart Required: Yes
Instructions:
1. Update Cargo.toml to specify nano-id = "0.4.0" or higher. 2. Run 'cargo update' to fetch new version. 3. Rebuild and redeploy application. 4. Restart services using the updated crate.
🔧 Temporary Workarounds
Switch to base64 function
allUse nano-id::base64 instead of base62 or base58, as base64 is unaffected by this vulnerability.
Replace calls to nano_id::base62 or nano_id::base58 with nano_id::base64 in Rust code
Implement custom ID generation
allTemporarily replace nano-id with alternative secure random string generation using Rust's rand crate.
Add rand = "0.8" to Cargo.toml
Use rand::thread_rng().sample_iter(&Alphanumeric).take(length).map(char::from).collect()
🧯 If You Can't Patch
- Rotate all security-sensitive IDs (session tokens, API keys) generated with affected functions immediately.
- Implement rate limiting and monitoring for brute-force attempts against identifiers.
🔍 How to Verify
Check if Vulnerable:
Check Cargo.lock or Cargo.toml for nano-id version <0.4.0. Review code for usage of nano_id::base62, nano_id::base58, or nano_id::gen with non-power-of-2 character sets.Check Version:
grep -A 1 'name = "nano-id"' Cargo.lock | grep versionVerify Fix Applied:
Confirm nano-id version is 0.4.0 or higher in Cargo.lock. Test ID generation to ensure sufficient entropy (e.g., generate IDs and check character distribution).📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of failed authentication attempts using predictable IDs
- High volume of requests to endpoints using nano-id generated tokens
Network Indicators:
- Increased traffic to token validation endpoints
- Patterns of sequential or predictable ID requests
SIEM Query:
source=application_logs AND (message:"invalid token" OR message:"authentication failed") | stats count by src_ip | where count > 100🔗 References
- https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23
- https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94
- https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23
- https://github.com/viz-rs/nano-id/security/advisories/GHSA-9hc7-6w9r-wj94
