CVE-2025-54884

Source
https://cve.org/CVERecord?id=CVE-2025-54884
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54884.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-54884
Aliases
  • GHSA-gg28-wc2c-jjj3
Published
2025-08-05T23:37:28.995Z
Modified
2026-07-15T01:49:15.975649010Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Vision UI security-kit.js: Potential Uncontrolled Resource Allocation Vulnerability
Details

Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the generateSecureId and getSecureRandomInt functions in security-kit versions prior to 3.5.0 (packaged in Vision UI 1.4.0 and below) are vulnerable to Denial of Service (DoS) attacks. The generateSecureId(length) function directly used the length parameter to size a Uint8Array buffer, allowing attackers to exhaust server memory through repeated requests for large IDs since the previous 1024 limit was insufficient. The getSecureRandomInt(min, max) function calculated buffer size based on the range between min and max, where large ranges caused excessive memory allocation and CPU-intensive rejection-sampling loops that could hang the thread. This issue is fixed in version 1.5.0.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/54xxx/CVE-2025-54884.json"
}
References

Affected packages

Git / github.com/davidosipov/vision-ui

Affected ranges

Type
GIT
Repo
https://github.com/davidosipov/vision-ui
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.5.0"
        }
    ]
}

Affected versions

1.*
1.0.0
1.4.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-54884.json"