CVE-2021-41167 — modern-async's `forEachSeries` and `forEachLimit` functions do not limit the num

Description

### Impact This is a bug affecting two of the functions in this library: `forEachSeries` and `forEachLimit`. They should limit the concurrency of some actions but, in practice, they don't. Any code calling these functions will be written thinking they would limit the concurrency but they won't. This could lead to potential security issues in other projects. ### Patches The problem has been patched in 1.0.4. ### Workarounds There is no workaround aside from upgrading to 1.0.4.

How to fix CVE-2021-41167

To remediate CVE-2021-41167, upgrade the affected package to a fixed version below.

—upgrade to 1.0.4 or later

Is CVE-2021-41167 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-41167
PATCHgithub.com/nicolas-van/modern-async
WEBgithub.com/nicolas-van/modern-async/commit/0010d28de1b15d51db3976080e26357fa7144436
WEBgithub.com/nicolas-van/modern-async/issues/5