CVE-2024-27088: es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
Impact
Passing functions with very long names or complex default argument names into function#copy orfunction#toStringTokens may put script to stall
Patches
Fixed with https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 and https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602 Published with v0.10.63
Workarounds
No real workaround aside of refraining from using above utilities.
References
https://github.com/medikoo/es5-ext/issues/201
References
- github.com/advisories/GHSA-4gmj-3p3h-gm8h
- github.com/medikoo/es5-ext
- github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2
- github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602
- github.com/medikoo/es5-ext/issues/201
- github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h
- nvd.nist.gov/vuln/detail/CVE-2024-27088
Detect and mitigate CVE-2024-27088 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →