Skip to content

mixpanel-react-native blocks resolution of uuid CVE-2026-41907 (GHSA-w5hq-g745-h8pq) #423

Description

@mt-rsobachi

Summary

Dependabot flagged a security vulnerability in our transitive dependency on uuid introduced by mixpanel-react-native.

CVE: CVE-2026-41907
Package: uuid (npm)
Vulnerable range: < 14.0.0
Fixed version: 14.0.0
CVSS: 8.1 (High)
EPSS: 0.00042 (low current exploit activity)

Vulnerability

uuid v3, v5 and v6 accept caller-supplied output buffers but do not validate bounds before writing. Passing a small buffer or a large offset causes silent partial writes without throwing an error. This can result in malformed UUIDs and, in certain conditions, data corruption or logic flaws in consuming code.
Reference: GHSA-w5hq-g745-h8pq

Why we can't resolve it ourselves

mixpanel-react-native@3.3.0 pins uuid@^9.0.1. Dependabot cannot upgrade past 9.0.1 while this constraint is in place. The fix requires uuid@14.0.0, which is a breaking major version jump and needs to be adopted by mixpanel-react-native directly.
mixpanel-react-native@3.3.0 -> uuid@^9.0.1 (vulnerable)
Fix requires: uuid@14.0.0

Current status

Latest mixpanel-react-native release: 3.3.0 (still affected)
No patched version of mixpanel-react-native available at time of writing
Dependabot alert cannot be resolved or dismissed without upstream action

Request

Please update the uuid dependency to ^14.0.0 (or replace it with an equivalent implementation) in an upcoming release. In the interim, any guidance on risk mitigation or a workaround would be helpful.

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions