CVE-2024-9506

描述

The ReDoS can be exploited through the `parseHTML` function in the `html-parser.ts` file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption. To demonstrate this vulnerability, here's an example. In a Vue client-side application, create a new Vue instance with a template string that includes a `<script>` tag but closes it incorrectly with something like `</textarea>`. ```javascript new Vue({ el: '#app', template: ' <div> Hello, world! <script>${'<'.repeat(1000000)}</textarea> </div>' }); ``` Next, set up a basic HTML page (e.g., index.html) to load this JavaScript and mount the Vue instance: ```html <!DOCTYPE html> <html> <head> <title>My first Vue app</title> </head> <body> <div id=\"app\">Loading...</div> </body> </html> ``` When you visit the app in your browser at http://localhost:3000, you'll notice that the time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.

如何修補 CVE-2024-9506

要修補 CVE-2024-9506,請將受影響套件升級到下列已修補版本。

—升級至 3.0.0-alpha.0 或更新版本

CVE-2024-9506 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

>= 2.0.0-alpha.1, < 3.0.0-alpha.0

CVSS 分數

來源	版本

osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

描述

如何修補 CVE-2024-9506

CVE-2024-9506 正在被利用嗎?

受影響套件(1)

CVSS 分數

參考連結(3)