GHSA-455V-W7R9-3VV9

Vulnerability from github – Published: 2025-09-09 20:44 – Updated: 2025-09-25 21:44
VLAI?
Summary
Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity
Details

Overview

A security review of the Cattown identified multiple weaknesses that could potentially impact its stability and security.

Affected Versions

  • All versions below 1.0.2

Description of Vulnerabilities

  1. CWE-1333: Inefficient Regular Expression Complexity The package used regular expressions with inefficient, potentially exponential worst-case complexity. This can cause excessive CPU usage due to excessive backtracking on crafted inputs, potentially leading to denial of service.
  2. CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion) The package was vulnerable to resource exhaustion, where processing malicious inputs could cause high CPU or memory usage, potentially leading to denial of service.

Impact

  • Trigger excessive CPU consumption leading to denial of service
  • Cause resource exhaustion affecting service availability
  • Bypass protection mechanisms causing unexpected or insecure behavior

Resolution

These vulnerabilities have been fixed in version 1.0.2 of the Cattown. Users are strongly encouraged to upgrade to this version to mitigate the risks.

Recommendations

  • Upgrade to Cattown version 1.0.2 or later as soon as possible.
  • Review and restrict input sources if untrusted inputs are processed.

Acknowledgments

The issues were proactively identified through CodeQL static analysis.

Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "cattown"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-58451"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-09T20:44:25Z",
    "nvd_published_at": "2025-09-08T22:15:34Z",
    "severity": "HIGH"
  },
  "details": "### Overview\nA security review of the Cattown identified multiple weaknesses that could potentially impact its stability and security.\n\n### Affected Versions\n- All versions below 1.0.2\n\n### Description of Vulnerabilities\n1. CWE-1333: Inefficient Regular Expression Complexity\nThe package used regular expressions with inefficient, potentially exponential worst-case complexity. This can cause excessive CPU usage due to excessive backtracking on crafted inputs, potentially leading to denial of service.\n2. CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion)\nThe package was vulnerable to resource exhaustion, where processing malicious inputs could cause high CPU or memory usage, potentially leading to denial of service.\n\n### Impact\n- Trigger excessive CPU consumption leading to denial of service\n- Cause resource exhaustion affecting service availability\n- Bypass protection mechanisms causing unexpected or insecure behavior\n\n### Resolution\nThese vulnerabilities have been fixed in version 1.0.2 of the Cattown. Users are strongly encouraged to upgrade to this version to mitigate the risks.\n\n### Recommendations\n- Upgrade to Cattown version 1.0.2 or later as soon as possible.\n- Review and restrict input sources if untrusted inputs are processed.\n\n### Acknowledgments\nThe issues were proactively identified through CodeQL static analysis.",
  "id": "GHSA-455v-w7r9-3vv9",
  "modified": "2025-09-25T21:44:20Z",
  "published": "2025-09-09T20:44:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/IEatUranium238/Cattown/security/advisories/GHSA-455v-w7r9-3vv9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58451"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IEatUranium238/Cattown/commit/70c2a28fb7dc520cfb7e401e0e141bff3dd26ead"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IEatUranium238/Cattown"
    },
    {
      "type": "WEB",
      "url": "https://github.com/IEatUranium238/Cattown/releases/tag/security"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/package/cattown"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.