Description
https://www.mend.io/vulnerability-database/CVE-2026-41907/
uuid critical vulnerability CVE-2026-41907 found in the following build chain:
└─┬ @redis/entraid 5.12.1
└─┬ @azure/msal-node 2.16.3
└── uuid 8.3.2
Fixes have been found in uuid>=11. Looking at the @azure/msal-node, the latest release for msal-node is 5.x and 5.1.5 removes the uuid module
The change from 2.x to 3.x was to remove an internal that was accidentally exported in the API, there was no 4.x from what I can see. 3.x -> 5.x looks sizeable.
Raised a security vulnerability previously but no updates since opening last week so raising issue too - https://github.com/redis/node-redis/security/advisories/GHSA-6mrv-vw7r-r73q
Severity is CVSS 9.8/10 so please triage/resolve ASAP. Thanks
Node.js Version
N/A
Redis Server Version
N/A
Node Redis Version
@redis/entraid 5.12.1
Platform
No response
Logs
Description
https://www.mend.io/vulnerability-database/CVE-2026-41907/
uuid critical vulnerability CVE-2026-41907 found in the following build chain:
└─┬ @redis/entraid 5.12.1
└─┬ @azure/msal-node 2.16.3
└── uuid 8.3.2
Fixes have been found in uuid>=11. Looking at the @azure/msal-node, the latest release for msal-node is 5.x and 5.1.5 removes the uuid module
The change from 2.x to 3.x was to remove an internal that was accidentally exported in the API, there was no 4.x from what I can see. 3.x -> 5.x looks sizeable.
Raised a security vulnerability previously but no updates since opening last week so raising issue too - https://github.com/redis/node-redis/security/advisories/GHSA-6mrv-vw7r-r73q
Severity is CVSS 9.8/10 so please triage/resolve ASAP. Thanks
Node.js Version
N/A
Redis Server Version
N/A
Node Redis Version
@redis/entraid 5.12.1
Platform
No response
Logs