logo

Database

Asymmetric denial of service In acorn

Description

Regular Expression Denial of Service in Acorn Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GCVE-GHSA-6chw-6frg-f759

References

1. https://github.com/acornjs/acorn/issues/9292. https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b8023. https://www.npmjs.com/advisories/1488

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.