Async 3.2.5 is vulnerable to ReDoS (Regular Expression Denial of Service) CVE-2024-39249

caolan / async

Async utilities for node and the browser

http://caolan.github.io/async/

MIT License

28.13k stars 2.41k forks source link

Async 3.2.5 is vulnerable to ReDoS (Regular Expression Denial of Service) CVE-2024-39249 #1975

Closed dvasilen closed 3 days ago

dvasilen commented 1 week ago

Please assess and address the CVE-2024-39249 in Async 3.2.5

CVE-2024-39249 - Medium Severity Vulnerability

Vulnerable Library - async-3.2.5.tgz

Library home page: https://registry.npmjs.org/async/-/async-3.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy: - :x: **async-3.2.5.tgz** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.

Publish Date: 2024-07-01

URL: CVE-2024-39249

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

aearly commented 1 week ago

This seems incredibly unlikely to be exploitable, except in development. If a user of Async was eval()ing user input and passing functions to autoInject, they would have bigger problems.

PPKath-1611 commented 1 week ago

Hi @aearly @caolan , are you guys soon planning to resolve this CVE by publishing a new version for this NPM package ?

aearly commented 1 week ago

No, this is not exploitable except with extremely contrived examples.

PPKath-1611 commented 1 week ago

@aearly, if you think so, can you please look & verify why Snyk is mentioning it as a medium severity vulnerability. If possible kindly provide a new patch version of it, as current version 3.2.5 is causing a Medium CVE which is leading to failure of npm vulnerability scan in our build pipeline

PPKath-1611 commented 1 week ago

@aearly , Just for your reference, please once go through an observation explained by this author https://github.com/zunak/CVE-2024-39249 Thanks

AaronMoat commented 1 week ago

@PPKath-1611: I agree with @aearly's comment in full. Please don't nag the the maintainers; false-positive CVEs are a nuisance for everyone.

I've raised a retraction request in the GitHub repository & am contacting NVD asking them to do the same. https://github.com/zunak/CVE-2024-39249/issues/1

If you have a problem with Snyk assessing the 'vulnerability' as medium affecting your builds, contact Snyk, not this maintainer.

aearly commented 1 week ago

Yes, thanks for the backup. For reference everyone, the example code provided involved 500 spaces beween async and (args) => {...} in code a developer would write. It would be as conspicuous in code review as for(var i = 0; i < 1000000000; i++);.

okuryu commented 3 days ago

Snyk appears to have revoked this vulnerability. https://security.snyk.io/vuln/SNYK-JS-ASYNC-7414156

aearly commented 3 days ago

Okay, closing this issue. I'm also disappointed that Snyk cried wolf on a completely unverified CVE and created a lot of extra work for you all.