GMS-2020-702: Regular Expression Denial of Service in Acorn

April 3, 2020 (updated August 23, 2021)

Affected versions of acorn is vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

References

github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802
github.com/acornjs/acorn/issues/929
github.com/advisories/GHSA-6chw-6frg-f759
snyk.io/vuln/SNYK-JS-ACORN-559469
www.npmjs.com/advisories/1488

Code Behaviors & Features

Detect and mitigate GMS-2020-702 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →