Skip to content

es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`

Low severity GitHub Reviewed Published Feb 26, 2024 in medikoo/es5-ext • Updated Feb 26, 2024

Package

npm es5-ext (npm)

Affected versions

>= 0.10.0, < 0.10.63

Patched versions

0.10.63

Description

Impact

Passing functions with very long names or complex default argument names into function#copy orfunction#toStringTokens may put script to stall

Patches

Fixed with medikoo/es5-ext@3551cdd and medikoo/es5-ext@a52e957
Published with v0.10.63

Workarounds

No real workaround aside of refraining from using above utilities.

References

medikoo/es5-ext#201

References

@medikoo medikoo published to medikoo/es5-ext Feb 26, 2024
Published by the National Vulnerability Database Feb 26, 2024
Published to the GitHub Advisory Database Feb 26, 2024
Reviewed Feb 26, 2024
Last updated Feb 26, 2024

Severity

Low

EPSS score

0.045%
(17th percentile)

Weaknesses

CVE ID

CVE-2024-27088

GHSA ID

GHSA-4gmj-3p3h-gm8h

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.