GHSA-6chw-6frg-f759 – acorn

Package

Manager: npm
Name: acorn
Vulnerable Version: >=5.5.0 <5.7.4 || >=6.0.0 <6.4.1 || >=7.0.0 <7.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Regular Expression Denial of Service in Acorn Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

Metadata

Created: 2020-04-03T21:48:38Z
Modified: 2021-08-23T15:10:32Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-6chw-6frg-f759/GHSA-6chw-6frg-f759.json
CWE IDs: ["CWE-400"]
Alternative ID: N/A
Finding: F002
Auto approve: 1