steal is vulnerable to regular expression denial of service (ReDoS) attacks. A remote attacker is able to cause a system hang via supplying a maliciously crafted input through source
or sourceWithComments
variables in main.js
.
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L3497
github.com/stealjs/steal/blob/c9dd1eb19ed3f97aeb93cf9dcea5d68ad5d0ced9/main.js#L3507
github.com/stealjs/steal/blob/v2.3.0/main.js#L3497
github.com/stealjs/steal/blob/v2.3.0/main.js#L3507
github.com/stealjs/steal/issues/1531