[Pkg-javascript-devel] Bug#1053262: node-get-func-name: CVE-2023-43646
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 30 10:17:28 BST 2023
Source: node-get-func-name
Version: 2.0.0+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-get-func-name.
CVE-2023-43646[0]:
| get-func-name is a module to retrieve a function's name securely and
| consistently both in NodeJS and the browser. Versions prior to 2.0.1
| are subject to a regular expression denial of service (redos)
| vulnerability which may lead to a denial of service when parsing
| malicious input. This vulnerability can be exploited when there is
| an imbalance in parentheses, which results in excessive backtracking
| and subsequently increases the CPU load and processing time
| significantly. This vulnerability can be triggered using the
| following input: '\t'.repeat(54773) + '\t/function/i'. This issue
| has been addressed in commit `f934b228b` which has been included in
| releases from 2.0.1. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-43646
https://www.cve.org/CVERecord?id=CVE-2023-43646
[1] https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
[2] https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list