CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS
Percentile
20.5%
get-func-name is a module to retrieve a functionโs name securely and
consistently both in NodeJS and the browser. Versions prior to 2.0.1 are
subject to a regular expression denial of service (redos) vulnerability
which may lead to a denial of service when parsing malicious input. This
vulnerability can be exploited when there is an imbalance in parentheses,
which results in excessive backtracking and subsequently increases the CPU
load and processing time significantly. This vulnerability can be triggered
using the following input: โ\tโ.repeat(54773) + โ\t/function/iโ. This issue
has been addressed in commit f934b228b
which has been included in
releases from 2.0.1. Users are advised to upgrade. There are no known
workarounds for this vulnerability.
Author | Note |
---|---|
alexmurray | The Debian chromium source package is called chromium-browser in Ubuntu |
mdeslaur | starting with Ubuntu 19.10, the chromium-browser package is just a script that installs the Chromium snap |
rodrigo-zaiden | get-func-name source is included in chromium and qt6-webengine |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | node-get-func-name | <ย any | UNKNOWN |
ubuntu | 20.04 | noarch | node-get-func-name | <ย any | UNKNOWN |
ubuntu | 22.04 | noarch | node-get-func-name | <ย any | UNKNOWN |
ubuntu | 24.04 | noarch | node-get-func-name | <ย any | UNKNOWN |
ubuntu | 22.04 | noarch | qt6-webengine | <ย any | UNKNOWN |
ubuntu | 24.04 | noarch | qt6-webengine | <ย any | UNKNOWN |
github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
launchpad.net/bugs/cve/CVE-2023-43646
nvd.nist.gov/vuln/detail/CVE-2023-43646
security-tracker.debian.org/tracker/CVE-2023-43646
www.cve.org/CVERecord?id=CVE-2023-43646