Skip to content

Regular Expression Denial of Service in Acorn

high severity Published Apr 3, 2020 • Updated Aug 23, 2021

Package

npm acorn (npm)

Affected versions

>= 6.0.0, < 6.4.1
>= 7.0.0, < 7.1.1
>= 5.5.0, < 5.7.4

Patched versions

6.4.1
7.1.1
5.7.4

Description

Affected versions of acorn are vulnerable to Regular Expression Denial of Service.
A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop.
The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.
If an application processes untrusted input and passes it directly to acorn,
attackers may leverage the vulnerability leading to Denial of Service.

References

GHSA ID

GHSA-6chw-6frg-f759

CVSS Score

7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H