Skip to content

v1.1.1

Choose a tag to compare

View all tags
@sunnyadn sunnyadn released this 25 May 17:40
· 8 commits to main since this release
v1.1.1
60d0741

Security

  • Fix CPU exhaustion via O(n²) BigInt construction on radix-prefixed integer literals (GHSA-wp3c-266w-4qfq, CWE-400, CWE-407).

    The 0x / 0o / 0b integer parser previously used a hand-written BigInt accumulator loop that ran in O(n²) in the literal length, allowing a single attacker-supplied ~500 kB radix literal to block the Node.js event loop for tens of seconds. The fix switches to the V8 native BigInt(prefixedString) constructor (O(n)) and caps radix-prefixed literals at 1000 digits, matching jackson-core's StreamReadConstraints.maxNumberLength default.

    All users on 1.1.0 or earlier are affected and should upgrade to 1.1.1.

    Reported and patched by @tonghuaroot — thank you.

Full changelog: v1.1.0...v1.1.1

Assets 2
Loading