GHSA-8h55-q5qq-p685
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8h55-q5qq-p685
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-8h55-q5qq-p685/GHSA-8h55-q5qq-p685.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8h55-q5qq-p685
- Aliases
- Related
- Published
- 2024-07-23T14:10:45Z
- Modified
- 2024-07-23T15:51:54Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- (ReDoS) Regular Expression Denial of Service in tf2-item-format
- Details
-
Summary
Versions of
tf2-item-formatsince at least4.2.6are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input.Tested Versions
5.9.135.8.105.7.05.6.174.3.54.2.6
v5
Upgrade package to
^5.9.14v4
No patch exists. Please consult the v4 to v5 migration guide to upgrade to v5.
If upgrading to v5 is not possible, fork the module repository and implement the fix detailed below.
Impact
This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any
tf2-item-formatto parse user input. - Database specific
{ "nvd_published_at": "2024-07-23T15:15:05Z", "cwe_ids": [ "CWE-1333", "CWE-624" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-07-23T14:10:45Z" }- References
-
- https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685
- https://nvd.nist.gov/vuln/detail/CVE-2024-41655
- https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec
- https://github.com/danocmx/node-tf2-item-format
- https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14
Affected packages
npm / tf2-item-format
Package
- Name
- tf2-item-format
- View open source insights on deps.dev
- Purl
- pkg:npm/tf2-item-format