CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
async is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability is due to the autoinject
function, which allows an attacker to slowdown parsing with crafted whitespaces, resulting in Regular Expression Denial of Service (ReDoS).
github.com/advisories/GHSA-x6xm-h7hm-7p9q
github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41
github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6
github.com/caolan/async/commit/5f756b4470d91778702cace5f5fce8060aeb7ad6
github.com/caolan/async/issues/1975
github.com/caolan/async/issues/1975#issuecomment-2204528153
github.com/caolan/async/pull/1980
github.com/zunak/CVE-2024-39249
github.com/zunak/CVE-2024-39249/issues/1
web.archive.org/web/20240710221213/https://github.com/zunak/CVE-2024-39249