CVE-2023-34109

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-34109

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-34109.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2023-34109

Aliases

GHSA-38hx-x5hq-5fg4

Published

2023-06-07T17:11:21.949Z

Modified

2025-11-29T14:17:53.387026Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

User input results in Unbounded resource consumption in @zxcvbn-ts/core

Details

zxcvbn-ts is an open source password strength estimator written in typescript. This vulnerability affects users running on the nodeJS platform which are using the second argument of the zxcvbn function. It can result in an unbounded resource consumption as the user inputs array is extended with every function call. Browsers are impacted, too but a single user need to do a lot of input changes so that it affects the browser, while the node process gets the inputs of every user of a platform and can be killed that way. This problem has been patched in version 3.0.2. Users are advised to upgrade. Users unable to upgrade should stop using the second argument of the zxcvbn function and use the zxcvbnOptions.setOptions function.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/34xxx/CVE-2023-34109.json",
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/zxcvbn-ts/zxcvbn

Affected ranges

Type: GIT
Repo: https://github.com/zxcvbn-ts/zxcvbn
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ee53a5361aedf35717fd8b10f8868db432e66686

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.1.0

2.*

2.0.2

3.*

3.0.1

3.0.2

3.1.0

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.4.0

3.5.0

4.*

4.0.1

4.1.0

4.1.1

4.2.0

4.3.0

@zxcvbn-ts/core@0.*

@zxcvbn-ts/core@0.1.0

@zxcvbn-ts/core@0.3.0

@zxcvbn-ts/core@1.*

@zxcvbn-ts/core@1.0.0

@zxcvbn-ts/core@1.0.0-beta.0

@zxcvbn-ts/core@1.0.0-beta.1

@zxcvbn-ts/core@1.2.0

@zxcvbn-ts/core@2.*

@zxcvbn-ts/core@2.0.0

@zxcvbn-ts/core@2.0.1

@zxcvbn-ts/core@2.0.2

@zxcvbn-ts/core@2.0.3

@zxcvbn-ts/core@2.0.4

@zxcvbn-ts/core@2.0.5

@zxcvbn-ts/core@2.1.0

@zxcvbn-ts/core@2.2.0

@zxcvbn-ts/core@2.2.1

@zxcvbn-ts/core@3.*

@zxcvbn-ts/core@3.0.0

@zxcvbn-ts/core@3.0.1

@zxcvbn-ts/language-common@0.*

@zxcvbn-ts/language-common@0.1.0

@zxcvbn-ts/language-common@0.1.2

@zxcvbn-ts/language-common@1.*

@zxcvbn-ts/language-common@1.0.0

@zxcvbn-ts/language-common@1.0.0-beta.0

@zxcvbn-ts/language-common@1.0.0-beta.1

@zxcvbn-ts/language-common@1.0.2

@zxcvbn-ts/language-common@2.*

@zxcvbn-ts/language-common@2.0.0

@zxcvbn-ts/language-common@2.0.1

@zxcvbn-ts/language-common@3.*

@zxcvbn-ts/language-common@3.0.0

@zxcvbn-ts/language-common@3.0.1

@zxcvbn-ts/language-cs@3.*

@zxcvbn-ts/language-cs@3.0.0

@zxcvbn-ts/language-cs@3.0.1

@zxcvbn-ts/language-de@0.*

@zxcvbn-ts/language-de@0.1.0

@zxcvbn-ts/language-de@0.3.0

@zxcvbn-ts/language-de@1.*

@zxcvbn-ts/language-de@1.0.0

@zxcvbn-ts/language-de@1.0.0-beta.0

@zxcvbn-ts/language-de@1.0.0-beta.1

@zxcvbn-ts/language-de@1.2.0

@zxcvbn-ts/language-de@2.*

@zxcvbn-ts/language-de@2.0.0

@zxcvbn-ts/language-de@2.0.1

@zxcvbn-ts/language-de@2.1.0

@zxcvbn-ts/language-de@3.*

@zxcvbn-ts/language-de@3.0.0

@zxcvbn-ts/language-de@3.0.1

@zxcvbn-ts/language-en@0.*

@zxcvbn-ts/language-en@0.1.0

@zxcvbn-ts/language-en@0.3.0

@zxcvbn-ts/language-en@1.*

@zxcvbn-ts/language-en@1.0.0

@zxcvbn-ts/language-en@1.0.0-beta.0

@zxcvbn-ts/language-en@1.0.0-beta.1

@zxcvbn-ts/language-en@1.2.0

@zxcvbn-ts/language-en@2.*

@zxcvbn-ts/language-en@2.0.0

@zxcvbn-ts/language-en@2.0.1

@zxcvbn-ts/language-en@2.1.0

@zxcvbn-ts/language-en@3.*

@zxcvbn-ts/language-en@3.0.0

@zxcvbn-ts/language-en@3.0.1

@zxcvbn-ts/language-es-es@1.*

@zxcvbn-ts/language-es-es@1.2.0

@zxcvbn-ts/language-es-es@2.*

@zxcvbn-ts/language-es-es@2.0.0

@zxcvbn-ts/language-es-es@2.0.1

@zxcvbn-ts/language-es-es@2.1.0

@zxcvbn-ts/language-es-es@2.1.1

@zxcvbn-ts/language-es-es@3.*

@zxcvbn-ts/language-es-es@3.0.0

@zxcvbn-ts/language-es-es@3.0.1

@zxcvbn-ts/language-fi@2.*

@zxcvbn-ts/language-fi@2.1.0

@zxcvbn-ts/language-fi@2.2.0

@zxcvbn-ts/language-fi@3.*

@zxcvbn-ts/language-fi@3.0.0

@zxcvbn-ts/language-fi@3.0.1

@zxcvbn-ts/language-fr@1.*

@zxcvbn-ts/language-fr@1.0.0

@zxcvbn-ts/language-fr@1.0.0-beta.0

@zxcvbn-ts/language-fr@1.0.0-beta.1

@zxcvbn-ts/language-fr@1.2.0

@zxcvbn-ts/language-fr@2.*

@zxcvbn-ts/language-fr@2.0.1

@zxcvbn-ts/language-fr@2.1.0

@zxcvbn-ts/language-fr@2.2.0

@zxcvbn-ts/language-fr@3.*

@zxcvbn-ts/language-fr@3.0.0

@zxcvbn-ts/language-fr@3.0.1

@zxcvbn-ts/language-id@2.*

@zxcvbn-ts/language-id@2.1.0

@zxcvbn-ts/language-id@3.*

@zxcvbn-ts/language-id@3.0.0

@zxcvbn-ts/language-id@3.0.1

@zxcvbn-ts/language-it@2.*

@zxcvbn-ts/language-it@2.0.0

@zxcvbn-ts/language-it@2.0.1

@zxcvbn-ts/language-it@2.1.0

@zxcvbn-ts/language-it@3.*

@zxcvbn-ts/language-it@3.0.0

@zxcvbn-ts/language-it@3.0.1

@zxcvbn-ts/language-ja@2.*

@zxcvbn-ts/language-ja@2.1.0

@zxcvbn-ts/language-ja@3.*

@zxcvbn-ts/language-ja@3.0.0

@zxcvbn-ts/language-ja@3.0.1

@zxcvbn-ts/language-nl-be@0.*

@zxcvbn-ts/language-nl-be@0.3.0

@zxcvbn-ts/language-nl-be@1.*

@zxcvbn-ts/language-nl-be@1.0.0

@zxcvbn-ts/language-nl-be@1.0.0-beta.0

@zxcvbn-ts/language-nl-be@1.0.0-beta.1

@zxcvbn-ts/language-nl-be@1.2.0

@zxcvbn-ts/language-nl-be@2.*

@zxcvbn-ts/language-nl-be@2.0.0

@zxcvbn-ts/language-nl-be@2.0.1

@zxcvbn-ts/language-nl-be@2.1.0

@zxcvbn-ts/language-nl-be@2.1.1

@zxcvbn-ts/language-nl-be@3.*

@zxcvbn-ts/language-nl-be@3.0.0

@zxcvbn-ts/language-nl-be@3.0.1

@zxcvbn-ts/language-pl@2.*

@zxcvbn-ts/language-pl@2.1.0

@zxcvbn-ts/language-pl@2.2.0

@zxcvbn-ts/language-pl@3.*

@zxcvbn-ts/language-pl@3.0.0

@zxcvbn-ts/language-pl@3.0.1

@zxcvbn-ts/language-pt-br@2.*

@zxcvbn-ts/language-pt-br@2.0.0

@zxcvbn-ts/language-pt-br@2.0.1

@zxcvbn-ts/language-pt-br@2.1.0

@zxcvbn-ts/language-pt-br@2.1.1

@zxcvbn-ts/language-pt-br@3.*

@zxcvbn-ts/language-pt-br@3.0.0

@zxcvbn-ts/language-pt-br@3.0.1

@zxcvbn-ts/matcher-pwned@1.*

@zxcvbn-ts/matcher-pwned@1.2.0

@zxcvbn-ts/matcher-pwned@2.*

@zxcvbn-ts/matcher-pwned@2.0.0

@zxcvbn-ts/matcher-pwned@2.0.1

@zxcvbn-ts/matcher-pwned@2.0.2

@zxcvbn-ts/matcher-pwned@2.0.3

@zxcvbn-ts/matcher-pwned@2.0.4

@zxcvbn-ts/matcher-pwned@2.0.5

@zxcvbn-ts/matcher-pwned@2.0.6

@zxcvbn-ts/matcher-pwned@2.0.7

@zxcvbn-ts/matcher-pwned@2.0.8

@zxcvbn-ts/matcher-pwned@2.0.9

@zxcvbn-ts/matcher-pwned@3.*

@zxcvbn-ts/matcher-pwned@3.0.0

@zxcvbn-ts/matcher-pwned@3.0.1

v1.*

v1.0

v4.*

v4.4.0

v4.4.1

v4.4.2

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-34109.json"