GitHub Advisory DatabaseGHSA-MPG4-RC92-VX8Vfast-xml-parser vulnerable to ReDOS at currency parsing
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
21.9%
Summary
A ReDOS exists on currency.js was discovered by Gauss Security Labs R&D team.
Details
https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10
contains a vulnerable regex
PoC
pass the following string ‘\t’.repeat(13337) + ‘.’
Impact
Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| fast-xml-parser_project | fast-xml-parser | * | cpe:2.3:a:fast-xml-parser_project:fast-xml-parser:*:*:*:*:*:node.js:*:* |
References
github.com/advisories/GHSA-mpg4-rc92-vx8v
github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10
github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164
github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v
nvd.nist.gov/vuln/detail/CVE-2024-41818
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
21.9%