Summary
Dependabot flagged a security vulnerability in our transitive dependency on uuid introduced by mixpanel-react-native.
CVE: CVE-2026-41907
Package: uuid (npm)
Vulnerable range: < 14.0.0
Fixed version: 14.0.0
CVSS: 8.1 (High)
EPSS: 0.00042 (low current exploit activity)
Vulnerability
uuid v3, v5 and v6 accept caller-supplied output buffers but do not validate bounds before writing. Passing a small buffer or a large offset causes silent partial writes without throwing an error. This can result in malformed UUIDs and, in certain conditions, data corruption or logic flaws in consuming code.
Reference: GHSA-w5hq-g745-h8pq
Why we can't resolve it ourselves
mixpanel-react-native@3.3.0 pins uuid@^9.0.1. Dependabot cannot upgrade past 9.0.1 while this constraint is in place. The fix requires uuid@14.0.0, which is a breaking major version jump and needs to be adopted by mixpanel-react-native directly.
mixpanel-react-native@3.3.0 -> uuid@^9.0.1 (vulnerable)
Fix requires: uuid@14.0.0
Current status
Latest mixpanel-react-native release: 3.3.0 (still affected)
No patched version of mixpanel-react-native available at time of writing
Dependabot alert cannot be resolved or dismissed without upstream action
Request
Please update the uuid dependency to ^14.0.0 (or replace it with an equivalent implementation) in an upcoming release. In the interim, any guidance on risk mitigation or a workaround would be helpful.
Summary
Dependabot flagged a security vulnerability in our transitive dependency on uuid introduced by mixpanel-react-native.
CVE: CVE-2026-41907
Package: uuid (npm)
Vulnerable range: < 14.0.0
Fixed version: 14.0.0
CVSS: 8.1 (High)
EPSS: 0.00042 (low current exploit activity)
Vulnerability
uuid v3, v5 and v6 accept caller-supplied output buffers but do not validate bounds before writing. Passing a small buffer or a large offset causes silent partial writes without throwing an error. This can result in malformed UUIDs and, in certain conditions, data corruption or logic flaws in consuming code.
Reference: GHSA-w5hq-g745-h8pq
Why we can't resolve it ourselves
mixpanel-react-native@3.3.0 pins uuid@^9.0.1. Dependabot cannot upgrade past 9.0.1 while this constraint is in place. The fix requires uuid@14.0.0, which is a breaking major version jump and needs to be adopted by mixpanel-react-native directly.
mixpanel-react-native@3.3.0 -> uuid@^9.0.1 (vulnerable)
Fix requires: uuid@14.0.0
Current status
Latest mixpanel-react-native release: 3.3.0 (still affected)
No patched version of mixpanel-react-native available at time of writing
Dependabot alert cannot be resolved or dismissed without upstream action
Request
Please update the uuid dependency to ^14.0.0 (or replace it with an equivalent implementation) in an upcoming release. In the interim, any guidance on risk mitigation or a workaround would be helpful.