CVE-2021-29057 — SUCHMOKUO node-worker-threads-pool denial of service Vulnerability

描述

An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3 that allows attackers to cause a denial of service. This can be mitigated by manually creating a timeout. For example: ```ts const { StaticPool } = require(\"node-worker-threads-pool\"); const staticPool = new StaticPool({ size: 1, task: (n) => { while (n) { console.log(\"a\"); } return n; } }); staticPool.createExecutor().setTimeout(10).exec(1).then((result) => { console.log(\"result from thread pool:\", result); }).catch(() => console.error('timeout')); ```

如何修補 CVE-2021-29057

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

—未列出修補版本

CVE-2021-29057 正在被利用嗎?

低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, <= 1.4.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

參考連結(3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-29057
PATCHgithub.com/SUCHMOKUO/node-worker-threads-pool
WEBgithub.com/SUCHMOKUO/node-worker-threads-pool/issues/20