CVE-2024-27088 — es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` an

Description

### Impact Passing functions with very long names or complex default argument names into `function#copy` or`function#toStringTokens` may put script to stall ### Patches Fixed with https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2 and https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602 Published with v0.10.63 ### Workarounds No real workaround aside of refraining from using above utilities. ### References https://github.com/medikoo/es5-ext/issues/201

How to fix CVE-2024-27088

To remediate CVE-2024-27088, upgrade the affected package to a fixed version below.

—no fix listed
—upgrade to 0.10.63 or later

Is CVE-2024-27088 being exploited?

Low — EPSS is 2.0%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0
>= 0.10.0, < 0.10.63

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.5	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-27088
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-27088
PATCHgithub.com/medikoo/es5-ext
WEBgithub.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2