acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
WS-2020-0042 - Medium Severity Vulnerability
Vulnerable Library - acorn-6.2.0.tgz
ECMAScript parser
Library home page: https://registry.npmjs.org/acorn/-/acorn-6.2.0.tgz
Path to dependency file: /tmp/ws-scm/TCSTK-custom-form-app-plugin/package.json
Path to vulnerable library: /tmp/ws-scm/TCSTK-custom-form-app-plugin/node_modules/acorn/package.json
Dependency Hierarchy: - build-angular-0.801.2.tgz (Root Library) - webpack-4.35.2.tgz - :x: **acorn-6.2.0.tgz** (Vulnerable Library)
Vulnerability Details
acorn is vulnerable to REGEX DoS. A regex of the form /[x-\ud800]/u causes the parser to enter an infinite loop. attackers may leverage the vulnerability leading to a Denial of Service since the string is not valid UTF16 and it results in it being sanitized before reaching the parser.
Publish Date: 2020-03-08
URL: WS-2020-0042
CVSS 3 Score Details (5.0)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1488
Release Date: 2020-03-08
Fix Resolution: 7.1.1