Vulnerability

CVE-2024-39249

 Report advisory or correction

CVSS Score 6.3 medium

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

CWE

CWE-1333

References

https://github.com/caolan/async/issues/1975
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-39249

[CVE-2024-39249] CWE-1333

Description

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.

Deviation Notice:
Sonatype's research suggests that this CVE's details differ from those defined at NVD or other reporting sources; sign in for details.

Sign up and see:

Detailed deviation notices:
  • Detailed deviations
  • References
  • Custom Descriptions [Coming Soon]
Sign Up
See async package information