CVE-2025-54884 Overview
CVE-2025-54884 is a Denial of Service (DoS) vulnerability affecting Vision UI versions 1.4.0 and below. The flaw resides in the security-kit module (versions prior to 3.5.0) bundled with Vision UI. Two functions, generateSecureId and getSecureRandomInt, accept attacker-controlled size parameters without sufficient bounds enforcement. The generateSecureId(length) function sized a Uint8Array buffer directly from the length parameter, while getSecureRandomInt(min, max) allocated buffers proportional to the supplied range. Repeated abusive requests exhaust server memory and CPU, hanging the thread. The issue is fixed in Vision UI 1.5.0 and tracked under GHSA-gg28-wc2c-jjj3.
Critical Impact
Unauthenticated remote attackers can exhaust server memory and CPU resources, rendering applications using Vision UI unresponsive without any user interaction.
Affected Products
- Vision UI versions 1.4.0 and below
- security-kit module versions prior to 3.5.0
- Web applications bundling the vulnerable security-kit module
Discovery Timeline
- 2025-08-06 - CVE-2025-54884 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-54884
Vulnerability Analysis
The vulnerability is classified as Uncontrolled Resource Consumption [CWE-400]. Two cryptographic helper functions in security-kit fail to enforce upper bounds on attacker-controlled parameters.
The generateSecureId(length) function used the length argument directly to allocate a Uint8Array. The prior internal cap of 1024 bytes was insufficient and could still be invoked repeatedly. Attackers requesting large IDs in rapid succession exhaust server heap memory.
The getSecureRandomInt(min, max) function derived buffer size from the difference between min and max. Wide ranges triggered excessive allocations and forced the rejection-sampling loop into CPU-intensive iterations that block the event loop.
Root Cause
The root cause is missing input validation on size-controlling parameters before memory allocation. Both functions trust caller-supplied integers and translate them into buffer sizes without ceiling checks or rate enforcement. This is a classic resource-exhaustion pattern in JavaScript cryptographic utilities.
Attack Vector
Exploitation requires only network access to an endpoint that invokes the vulnerable functions with user-controlled parameters. No authentication, privileges, or user interaction are required. An attacker submits crafted requests with oversized length values or wide min/max ranges to trigger memory and CPU exhaustion in the Node.js or browser runtime hosting Vision UI.
// Patch reference from security-kit.js header
// Author ORCID: 0009-0005-2713-9242
// Author VIAF: 139173726847611590332
// Author Wikidata: Q130604188
-// Version: 3.0.0
+// Version: 3.4.0
/**
* Secure, performant, and modern cryptographic utilities.
* @module security-kit
- * @version 3.0.0
+ * @version 3.4.0
*/
// Source: https://github.com/DavidOsipov/Vision-ui/commit/74802cd688b661a35e638fc96938d65ca7c05ff5
The patch tightens parameter validation and lowers the maximum allowable buffer sizes for both functions. See the GitHub commit for the full diff.
Detection Methods for CVE-2025-54884
Indicators of Compromise
- HTTP requests containing unusually large numeric length, min, or max parameters routed to endpoints invoking Vision UI helpers.
- Sudden spikes in Node.js heap usage or V8 out-of-memory errors in application logs.
- Repeated requests from the same source to ID generation or random integer endpoints.
Detection Strategies
- Inventory dependencies and flag any application embedding security-kit below version 3.5.0 or Vision UI at or below 1.4.0.
- Add Web Application Firewall (WAF) rules to inspect parameter magnitudes on endpoints that wrap generateSecureId or getSecureRandomInt.
- Enable runtime application self-protection (RASP) telemetry to flag long-running synchronous loops in Node.js worker threads.
Monitoring Recommendations
- Track process-level memory and CPU metrics for Node.js services and alert on sustained saturation.
- Log all 4xx/5xx responses from routes that surface ID or random integer generation and correlate by source IP.
- Monitor request-rate anomalies against endpoints that accept size parameters.
How to Mitigate CVE-2025-54884
Immediate Actions Required
- Upgrade Vision UI to version 1.5.0 or later, which ships security-kit 3.5.0 with enforced size limits.
- Audit application code for direct callers of generateSecureId and getSecureRandomInt and validate inputs before invocation.
- Apply per-endpoint rate limiting and request size caps at the reverse proxy or API gateway layer.
Patch Information
The vulnerability is resolved in Vision UI release 1.5.0. Details are documented in the GitHub Security Advisory GHSA-gg28-wc2c-jjj3 and the corresponding security-kit.js commit.
Workarounds
- Wrap calls to vulnerable functions with strict allow-list validation, capping length to a small constant (for example, 64 bytes) and clamping min/max ranges.
- Deploy WAF signatures that reject requests where numeric parameters exceed business-justified maximums.
- Apply request rate limiting and per-IP quotas to endpoints that expose these helpers.
# Upgrade Vision UI to the patched release
npm install vision-ui@1.5.0
# Verify the installed version
npm ls vision-ui
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
