CVE-2024-27088
Denial of Service vulnerability in es5-ext (npm)
What is CVE-2024-27088 About?
This vulnerability allows a Denial of Service via passing functions with very long or complex argument names into `function#copy` or `function#toStringTokens`. It can stall the script, leading to unavailability. Exploitation requires the use of these specific utility functions with crafted input.
Affected Software
Technical Details
The vulnerability in es5-ext arises when the function#copy or function#toStringTokens utilities are invoked with functions possessing extremely long names or overly complex default argument names. The internal processing of these utility functions, particularly when attempting to parse or represent these complex function signatures, becomes inefficient and resource-intensive. This leads to a prolonged execution time, effectively stalling the script and causing a denial-of-service condition for the application or JavaScript execution environment. The issue is a result of inadequate handling of edge-case input sizes for function metadata.
What is the Impact of CVE-2024-27088?
Successful exploitation may allow attackers to cause the script or application to become unresponsive, leading to a denial of service and disrupting normal operations.
What is the Exploitability of CVE-2024-27088?
Exploitation complexity is moderate, requiring the creation of functions with excessively long names or complex default arguments. No authentication or specific privileges are required beyond the ability to execute JavaScript code that interacts with the es5-ext library. This is typically a local vulnerability within a JavaScript execution environment, though it could be remotely triggered if an application processes untrusted user-supplied code that utilizes these functions. The special condition is the explicit use of function#copy or function#toStringTokens with the crafted input. Risk factors include applications that process and evaluate untrusted JavaScript or depend on these specific utility functions without input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| 200101WhoAmI | Link | redos |
What are the Available Fixes for CVE-2024-27088?
About the Fix from Resolved Security
The patch for CVE-2024-27088 replaces brittle regular expression parsing of function strings with robust tokenization using the esniff library to correctly extract function arguments and bodies, preventing unintended parsing of maliciously crafted function sources. This fixes the vulnerability by eliminating incorrect parsing that could allow prototype pollution or execution of arbitrary code via specially constructed function strings.
Available Upgrade Options
- es5-ext
- >0.10.0, <0.10.63 → Upgrade to 0.10.63
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-4gmj-3p3h-gm8h
- https://github.com/medikoo/es5-ext/issues/201
- https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602
- https://github.com/medikoo/es5-ext/issues/201
- https://github.com/medikoo/es5-ext
- https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602
- https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2
- https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h
- https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2
- https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h
What are Similar Vulnerabilities to CVE-2024-27088?
Similar Vulnerabilities: CVE-2023-45803 , CVE-2022-21703 , CVE-2021-4122 , CVE-2020-8012 , CVE-2019-10023
