CVE-2021-29057: SUCHMOKUO node-worker-threads-pool denial of service Vulnerability

August 11, 2023 (updated October 3, 2024)

An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3 that allows attackers to cause a denial of service.

This can be mitigated by manually creating a timeout. For example:

const { StaticPool } = require(\"node-worker-threads-pool\");

const staticPool = new StaticPool({
size: 1,
task: (n) => {
while (n) {
console.log(\"a\");
}
return n;
}
});

staticPool.createExecutor().setTimeout(10).exec(1).then((result) => {
console.log(\"result from thread pool:\", result);
}).catch(() => console.error('timeout'));

References

github.com/SUCHMOKUO/node-worker-threads-pool
github.com/SUCHMOKUO/node-worker-threads-pool/issues/20
github.com/advisories/GHSA-7vxc-q7rv-qfj8
nvd.nist.gov/vuln/detail/CVE-2021-29057

Detect and mitigate CVE-2021-29057 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →