Source: node-get-func-name Version: 2.0.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-get-func-name. CVE-2023-43646[0]: | get-func-name is a module to retrieve a function's name securely and | consistently both in NodeJS and the browser. Versions prior to 2.0.1 | are subject to a regular expression denial of service (redos) | vulnerability which may lead to a denial of service when parsing | malicious input. This vulnerability can be exploited when there is | an imbalance in parentheses, which results in excessive backtracking | and subsequently increases the CPU load and processing time | significantly. This vulnerability can be triggered using the | following input: '\t'.repeat(54773) + '\t/function/i'. This issue | has been addressed in commit `f934b228b` which has been included in | releases from 2.0.1. Users are advised to upgrade. There are no | known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43646 https://www.cve.org/CVERecord?id=CVE-2023-43646 [1] https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5 [2] https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
