🟡 Medium Security Finding
Scanner: Trivy
Rule: GHSA-v3rj-xjv7-4jmq
Severity: MEDIUM
File: pnpm-lock.yaml:1
Description
Package: smol-toml
Installed Version: 1.6.0
Vulnerability GHSA-v3rj-xjv7-4jmq
Severity: MEDIUM
Fixed Version: 1.6.1
Link: GHSA-v3rj-xjv7-4jmq
Remediation Guidance
Vulnerability GHSA-v3rj-xjv7-4jmq
Severity: MEDIUM
Package: smol-toml
Fixed Version: 1.6.1
Link: GHSA-v3rj-xjv7-4jmq
Summary
An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.
The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.
Proof of concept
require("smol-toml").parse('# comment\n'.repeat(8000) + 'key = "value"')Impact
Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.
Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.
As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.
Patches
Version 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.
Workarounds
Wrap all invocations of parse and stringify in a try/catch block when dealing with untrusted user input.
References
This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.
🟡 Medium Security Finding
Scanner: Trivy
Rule:
GHSA-v3rj-xjv7-4jmqSeverity: MEDIUM
File:
pnpm-lock.yaml:1Description
Package: smol-toml
Installed Version: 1.6.0
Vulnerability GHSA-v3rj-xjv7-4jmq
Severity: MEDIUM
Fixed Version: 1.6.1
Link: GHSA-v3rj-xjv7-4jmq
Remediation Guidance
Vulnerability GHSA-v3rj-xjv7-4jmq
Severity: MEDIUM
Package: smol-toml
Fixed Version: 1.6.1
Link: GHSA-v3rj-xjv7-4jmq
Summary
An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.
The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.
Proof of concept
Impact
Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.
Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.
As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.
Patches
Version 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.
Workarounds
Wrap all invocations of
parseandstringifyin a try/catch block when dealing with untrusted user input.References
This issue was automatically created by repo-sentinel. Assigned to Copilot for an automated fix attempt.