CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
16.1%
Versions of tf2-item-format
since at least 4.2.6
are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input.
5.9.13
5.8.10
5.7.0
5.6.17
4.3.5
4.2.6
Upgrade package to ^5.9.14
No patch exists. Please consult the v4 to v5 migration guide to upgrade to v5.
If upgrading to v5 is not possible, fork the module repository and implement the fix detailed below.
This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any tf2-item-format
to parse user input.
github.com/danocmx/node-tf2-item-format
github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec
github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14
github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685
nvd.nist.gov/vuln/detail/CVE-2024-41655
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
16.1%