CVE-2024-36400

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.

nano-id is a unique string ID generator for Rust. Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. The vulnerability is fixed in 0.4.0.

## Description Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. ## Impact This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. ## Patches The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly. ## PoC ```rust use std::collections::BTreeSet; fn main() { test_base58(); test_base62(); } fn test_base58() { let mut produced_symbols = BTreeSet::new(); for _ in 0..100_000 { id = "RUSTSEC-2024-0343" for c in id.chars() { produced_symbols.insert(c); } } println!( "{} symbols generated from nano_id::base58", produced_symbols.len() ); } fn test_base62() { let mut produced_symbols = BTreeSet::new(); for _ in 0..100_000 { id = "RUSTSEC-2024-0343" for c in id.chars() { produced_symbols.insert(c); } } println!( "{} symbols generated from nano_id::base62", produced_symbols.len() ); } ```

# Reduced entropy due to inadequate character set usage ## Description Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified. It should be noted that `nano_id::base64` is not affected by this vulnerability. ## Impact This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers. ## Patches The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id/commit/a9022772b2f1ce38929b5b81eccc670ac9d3ab23) by updating the the `nano_id::gen` macro to use all specified characters correctly. ## PoC ```rust use std::collections::BTreeSet; fn main() { test_base58(); test_base62(); } fn test_base58() { let mut produced_symbols = BTreeSet::new(); for _ in 0..100_000 { let id = nano_id::base58::<10>(); for c in id.chars() { produced_symbols.insert(c); } } println!( "{} symbols generated from nano_id::base58", produced_symbols.len() ); } fn test_base62() { let mut produced_symbols = BTreeSet::new(); for _ in 0..100_000 { let id = nano_id::base62::<10>(); for c in id.chars() { produced_symbols.insert(c); } } println!( "{} symbols generated from nano_id::base62", produced_symbols.len() ); } ```

nano-id es un generador de ID de cadena único para Rust. Las versiones afectadas de la caja nano-id generaron identificaciones incorrectamente utilizando un conjunto de caracteres reducido en las funciones `nano_id::base62` y `nano_id::base58`. Específicamente, la función "base62" usó un conjunto de caracteres de 32 símbolos en lugar de los 62 símbolos previstos, y la función "base58" usó un conjunto de caracteres de 16 símbolos en lugar de los 58 símbolos previstos. Además, la macro `nano_id::gen` también se ve afectada cuando se especifica un conjunto de caracteres personalizado que no tiene un tamaño de potencia de 2. Cabe señalar que `nano_id::base64` no se ve afectado por esta vulnerabilidad. Esto puede dar como resultado una reducción significativa de la entropía, lo que hace que los ID generados sean predecibles y vulnerables a ataques de fuerza bruta cuando los ID se utilizan en contextos sensibles a la seguridad, como tokens de sesión o identificadores únicos. La vulnerabilidad se solucionó en 0.4.0.