Closed dvasilen closed 3 days ago
This seems incredibly unlikely to be exploitable, except in development. If a user of Async was eval()ing user input and passing functions to autoInject
, they would have bigger problems.
Hi @aearly @caolan , are you guys soon planning to resolve this CVE by publishing a new version for this NPM package ?
No, this is not exploitable except with extremely contrived examples.
@aearly, if you think so, can you please look & verify why Snyk is mentioning it as a medium severity vulnerability. If possible kindly provide a new patch version of it, as current version 3.2.5 is causing a Medium CVE which is leading to failure of npm vulnerability scan in our build pipeline
@aearly , Just for your reference, please once go through an observation explained by this author https://github.com/zunak/CVE-2024-39249 Thanks
@PPKath-1611: I agree with @aearly's comment in full. Please don't nag the the maintainers; false-positive CVEs are a nuisance for everyone.
I've raised a retraction request in the GitHub repository & am contacting NVD asking them to do the same. https://github.com/zunak/CVE-2024-39249/issues/1
If you have a problem with Snyk assessing the 'vulnerability' as medium affecting your builds, contact Snyk, not this maintainer.
Yes, thanks for the backup. For reference everyone, the example code provided involved 500 spaces beween async
and (args) => {...}
in code a developer would write. It would be as conspicuous in code review as for(var i = 0; i < 1000000000; i++);
.
Snyk appears to have revoked this vulnerability. https://security.snyk.io/vuln/SNYK-JS-ASYNC-7414156
Okay, closing this issue. I'm also disappointed that Snyk cried wolf on a completely unverified CVE and created a lot of extra work for you all.
Please assess and address the CVE-2024-39249 in Async 3.2.5
CVE-2024-39249 - Medium Severity Vulnerability
Library home page: https://registry.npmjs.org/async/-/async-3.2.5.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy: - :x: **async-3.2.5.tgz** (Vulnerable Library)
Found in base branch: master
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.
Publish Date: 2024-07-01
URL: CVE-2024-39249
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.