Ask HN: We just had an actual UUID v4 collision...

Posted by mittermayr 3 hours ago

I know what you're thinking... and I still can't believe it, but...

This morning, our database flagged a duplicate UUID (v4). I checked, thinking it may have been a double-insert bug or something, but no.

The original UUID was from a record added in 2025 (about a year ago), and today the system inserted a new document with a fresh UUIDv4 and it came up with the exact same one:

b6133fd6-70fe-4fe3-bed6-8ca8fc9386cd

We're using this: https://www.npmjs.com/package/uuid

I thought this is technically impossible, and it will never happen, and since we're not modifying the UUIDs in any way, I really wonder how that.... is possible!? We're literally only calling:

import { v4 as uuidv4 } from "uuid";

const document_id = uuidv4();

... and then insert into the database, that's it.

Additionally, the database only has about 15.000 records, and now one collision. Statistically... impossible.

Has that ever happened to anyone?! What in the...

44 points | 54 comments

adyavanapalli 1 hour ago|

What you're talking about is so extremely rare that it's much more likely that the entire Earth is destroyed by an asteroid right this inst...

jordiburgos 2 hours ago||

Please, do not use b6133fd6-70fe-4fe3-bed6-8ca8fc9386cd, I checked my database and I was using it already.

mittermayr 1 hour ago||

I knew it, we're all getting the same cheap UUIDs and the good ones are reserved for the big dogs.

Galanwe 1 hour ago||

uuid.uuidv4() recently switched to "adaptive entropy" instead of "xmax entropy" in an effort to save costs on non-premium users.

robshep 1 hour ago|||

I'm using 16b55183-1697-496e-bc8a-854eb9aae0f3 and probably some more too. I suppose if we all post our list here, then we can all check for duplicates?

jsnell 1 hour ago|||

You can check https://everyuuid.com/ for collisions.

mittermayr 1 hour ago||||

We should all send our already-generated UUIDs to a shared database, we could just put it on Supabase with a shared username/password posted on HN, so we can all ensure that after generating a UUIDv4 locally, it's not used by anyone else. If it's in the database, we know it's taken.

It's a super simple mechanism, check in common worldwide UUID database, if not in there, you can use it. Perhaps if we use a START TRANSACTION, we could ensure it's not taken as we insert. But that's all easy, I'll ask Claude to wire it up, no problem.

broken-kebab 50 minutes ago||

But then I will claim I have already used all the UUIDs in my spreadsheets, and my lawyer will send cease&desist letters to every database.

volemo 1 hour ago|||

A site previously posted here could be useful: https://everyuuid.com/

classified 13 minutes ago||

That UUID should have my name sticker on it. Don't your UUIDs have name stickers?

lyfeninja 12 minutes ago||

Although incredibly rare, it's not impossible so probably best to just plan for collisions. A simply retry should suffice. But I agree I feel like something is going on somewhere else ...

throwaway_19sz 35 minutes ago||

Funny story no one will believe, but it’s true. A good friend of mine joined a startup as CTO 10 years ago, high growth phase, maybe 200 devs… In his first week he discovered the company had a microservice for generating new UUIDs. One endpoint with its own dedicated team of 3 engineers …including a database guy (the plot thickens). Other teams were instructed to call this service every time they needed a new ‘safe’ UUID. My pal asked wtf. It turned out this service had its own DB to store every previously issued UUID. Requests were handled as follows: it would generate a UUID, then ‘validate’ it by checking its own database to ensure the newly generated UUID didn’t match any previously generated UUIDs, then insert it, then return it to the client. Peace of mind I guess. The team had its own kanban board and sprints.

leni536 40 minutes ago||

It's not happening by chance, there is a bug somewhere.

From what I skimmed the package should just call to the js runtime's crypto.randomUUID(). I think it should always be properly seeded.

I think it is extremely unlikely that the runtime has a bug here, but who knows? What js runtime do you use?

tumdum_ 1 hour ago||

Poorly seeded prng.

jdthedisciple 57 minutes ago|

most likely the culprit indeed

nswango 45 minutes ago||

But I used nonstandard nonces!

NKosmatos 35 minutes ago||

> I thought this is technically impossible

Actually it's not impossible, but very very improbable.

P.S. You should play a lottery/powerball ticket

P.P.S. Whenever I use the word improbable, the https://hitchhikers.fandom.com/wiki/Infinite_Improbability_D... comes in mind

samdhar 3 hours ago||

The math says no. UUID v4 has 122 bits of randomness, so collision probability for 15K records is N²/(2·2^122) ≈ 2·10^-29. That's somewhere around "fewer collisions per universe lifetime than atoms in your liver." Whatever you're seeing, the culprit is overwhelmingly somewhere else.

Things to check, in descending order of how likely they actually are:

1. Data import / migration / backup restore, perhaps? Did anyone load a CSV, run a seed script, restore a snapshot, or copy rows between environments at any point in the last year? This is what "duplicate UUID" is in 99% of cases. Check git on migrations, ops history on the DB, and ask anyone who might have been moving data around.

2. Application retry / rollback bug maybe? Code path that generates a UUID, attempts insert, fails on constraint violation, retries with the same UUID variable still in scope. Check whether UUID generation lives inside or outside the retry boundary.

3. Older versions of the uuid package in certain bundler environments would fall back to Math.random() instead of crypto.getRandomValues(). What version are you on? Anything <4.x is suspect; modern v8+/v9+ uses crypto everywhere correctly.

4. Could also be a process fork bug. If a UUID generator runs in a child process spawned from a parent that already used the PRNG, the entropy state can get copied. Rare in Node specifically, more historical in old Python/Ruby setups.

If you've ruled all of those out and the row really was generated independently a year apart via crypto.getRandomValues, go buy a lottery ticket. But it's almost certainly cause #1.

uncircle 1 hour ago||

Statistically speaking, does extremely unlikely mean impossible? If it were replicable I'd raise my eyebrow, otherwise it's fair game, no?

As someone that enjoys the unterminable complaints about RNG in the video game scene, I would never trust any human's rationalization of random outcomes.

mschild 59 minutes ago|||

> Statistically speaking, does extremely unlikely mean impossible?

No, it means extremely unlikely. Collisions can occur, as op just found out, but the chances are so abysmally small that most people don't care.

Any application I have worked on, I always had a pre-save check to see if the UUID was already present and generate a new one if it was. Don't think it ever triggered unless a bug was introduced somewhere but good practice anyway.

nubg 1 hour ago|||

You are replying to an AI bot

harperlee 55 minutes ago||

Would be cool to have a plugin that shows % of bot per user, based on their history of comments.

ashleyn 56 minutes ago|||

There could be a problem with the way the system generates entropy for randomness.

nubg 1 hour ago||

Question to fellow HNers, do you recognize that this comment was written by AI?

piva00 1 minute ago|||

Yes but as a feeling (hunch?) not as something my brain analysed and reached a conclusion.

Weird how I'm already somewhat conditioned to spot it on a intuitive level.

prakka 57 minutes ago||||

No, to be honest. However, as soon as it was pointed out, I checked again and it made sense.

In my opinion, these kind of intuitions have to grow over time. And every time it’s pointed out, you learn. So please, keep pointing it out :).

tirutiru 51 minutes ago||||

I did not. Post-conditioning by your comment and the other one,I can see some signs such attempting to be unusually comprehensive. The 'atoms in your liver' could be an awkward human trying to be poetic about scales.

I still don't see idiomatic markers of AI so that's scary if your claim is correct.

nottorp 28 minutes ago||||

Interesting enough, I skipped it when scrolling through the comments the first time. I think I instinctually do that to most karma whoring comments, no matter if manual or LLM generated.

Only noticed it because I did another pass and saw the replies talking about "AI".

uncircle 58 minutes ago||||

I guess not, and I feel dirty now. I'm logging off for the day.

mschild 58 minutes ago||||

Kind of. It reads a bit too much like tech support you'd get when asking one for help.

ssenssei 43 minutes ago||||

when it started going on about all the different cases in the second bullet point... yeah

speedgoose 38 minutes ago|||

Yes, stupid comparison with atoms in the liver and a bullet list below? I stopped reading.

not_math 36 minutes ago||

Reminds me of some code I saw running in production. Every time we added a new entry, we were pulling all the UUIDs from this table, generating a new UUID, and checking for collisions up to 10 times.

glaslong 1 hour ago|

Buy some lava lamps

More comments...