Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZjaHctNmZyZy1mNzU5
Regular Expression Denial of Service in Acorn
Affected versions of acorn are vulnerable to Regular Expression Denial of Service.
A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop.
The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
If an application processes untrusted input and passes it directly to acorn,
attackers may leverage the vulnerability leading to Denial of Service.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTZjaHctNmZyZy1mNzU5
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 5 years ago
Updated: about 2 years ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-6chw-6frg-f759
References:
- https://github.com/acornjs/acorn/issues/929
- https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802
- https://snyk.io/vuln/SNYK-JS-ACORN-559469
- https://www.npmjs.com/advisories/1488
- https://github.com/advisories/GHSA-6chw-6frg-f759
Blast Radius: 45.4
Affected Packages
npm:acorn
Dependent packages: 8,880Dependent repositories: 1,121,780
Downloads: 361,779,586 last month
Affected Version Ranges: >= 5.5.0, < 5.7.4, >= 7.0.0, < 7.1.1, >= 6.0.0, < 6.4.1
Fixed in: 5.7.4, 7.1.1, 6.4.1
All affected versions: 5.5.0, 5.5.1, 5.5.2, 5.5.3, 5.6.0, 5.6.1, 5.6.2, 5.7.0, 5.7.1, 5.7.2, 5.7.3, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.3.0, 6.4.0, 7.0.0, 7.1.0
All unaffected versions: 0.0.1, 0.1.0, 0.2.0, 0.3.0, 0.3.1, 0.4.0, 0.4.2, 0.5.0, 0.6.0, 0.7.0, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.12.0, 1.0.0, 1.0.1, 1.0.3, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 2.0.0, 2.0.1, 2.0.4, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.5.2, 2.6.0, 2.6.2, 2.6.4, 2.7.0, 3.0.0, 3.0.2, 3.0.4, 3.1.0, 3.2.0, 3.3.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.13, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1, 5.7.4, 6.4.1, 6.4.2, 7.1.1, 7.2.0, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.3.0, 8.4.0, 8.4.1, 8.5.0, 8.6.0, 8.7.0, 8.7.1, 8.8.0, 8.8.1, 8.8.2, 8.9.0, 8.10.0, 8.11.0, 8.11.1, 8.11.2, 8.11.3, 8.12.0, 8.12.1, 8.13.0, 8.14.0