CVE-2024-43380: fugit parse and parse_nat stall on lengthy input

August 19, 2024

The fugit “natural” parser, that turns “every wednesday at 5pm” into “0 17 * * 3”, accepted any length of input and went on attempting to parse it, not returning promptly, as expected. The parse call could hold the thread with no end in sight.

Fugit dependents that do not check (user) input length for plausability are impacted.

References

github.com/advisories/GHSA-2m96-52r3-2f3g
github.com/floraison/fugit
github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5
github.com/floraison/fugit/issues/104
github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g
nvd.nist.gov/vuln/detail/CVE-2024-43380

Detect and mitigate CVE-2024-43380 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →