CVE-2024-27088 - Vulnerability Details - OpenCVE

es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Medikoo	Es5-ext

Configuration 1 [-]

cpe:2.3:a:medikoo:es5-ext:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2
https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602
https://github.com/medikoo/es5-ext/issues/201
https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h

History

Wed, 05 Feb 2025 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Medikoo Medikoo es5-ext
CPEs		cpe:2.3:a:medikoo:es5-ext::::::node.js::*
Vendors & Products		Medikoo Medikoo es5-ext

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-02-26T16:50:05.714Z

Updated: 2024-08-09T18:21:21.894Z

Reserved: 2024-02-19T14:43:05.992Z

Link: CVE-2024-27088

Vulnrichment

Updated: 2024-08-02T00:27:59.429Z

NVD

Status : Analyzed

Published: 2024-02-26T17:15:11.000

Modified: 2025-02-05T16:18:38.840

Link: CVE-2024-27088

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-27088", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-02-19T14:43:05.992Z", "datePublished": "2024-02-26T16:50:05.714Z", "dateUpdated": "2024-08-09T18:21:21.894Z"}, "containers": {"cna": {"title": "es5-ext Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`", "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-1333", "lang": "en", "description": "CWE-1333: Inefficient Regular Expression Complexity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h"}, {"name": "https://github.com/medikoo/es5-ext/issues/201", "tags": ["x_refsource_MISC"], "url": "https://github.com/medikoo/es5-ext/issues/201"}, {"name": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", "tags": ["x_refsource_MISC"], "url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2"}, {"name": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", "tags": ["x_refsource_MISC"], "url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602"}], "affected": [{"vendor": "medikoo", "product": "es5-ext", "versions": [{"version": ">= 0.10.0, < 0.10.63", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T16:50:05.714Z"}, "descriptions": [{"lang": "en", "value": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63."}], "source": {"advisory": "GHSA-4gmj-3p3h-gm8h", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.429Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h"}, {"name": "https://github.com/medikoo/es5-ext/issues/201", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/medikoo/es5-ext/issues/201"}, {"name": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2"}, {"name": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-09T18:21:09.554420Z", "id": "CVE-2024-27088", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:21:21.894Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", "name": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/medikoo/es5-ext/issues/201", "name": "https://github.com/medikoo/es5-ext/issues/201", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", "name": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", "name": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:27:59.429Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-27088", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-09T18:21:09.554420Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:21:16.687Z"}}], "cna": {"title": "es5-ext Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`", "source": {"advisory": "GHSA-4gmj-3p3h-gm8h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "LOCAL", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "medikoo", "product": "es5-ext", "versions": [{"status": "affected", "version": ">= 0.10.0, < 0.10.63"}]}], "references": [{"url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", "name": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/medikoo/es5-ext/issues/201", "name": "https://github.com/medikoo/es5-ext/issues/201", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", "name": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", "name": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400: Uncontrolled Resource Consumption"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333: Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-02-26T16:50:05.714Z"}}}, "cveMetadata": {"cveId": "CVE-2024-27088", "state": "PUBLISHED", "dateUpdated": "2024-08-09T18:21:21.894Z", "dateReserved": "2024-02-19T14:43:05.992Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-02-26T16:50:05.714Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:medikoo:es5-ext:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "B05B11A7-0D8E-4AA2-8332-266A0C3483F1", "versionEndExcluding": "0.10.63", "versionStartIncluding": "0.10.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "es5-ext contains ECMAScript 5 extensions. Passing functions with very long names or complex default argument names into `function#copy` or `function#toStringTokens` may cause the script to stall. The vulnerability is patched in v0.10.63."}, {"lang": "es", "value": "es5-ext contiene extensiones ECMAScript 5. Pasar funciones con nombres muy largos o nombres de argumentos predeterminados complejos a `function#copy` o `function#toStringTokens` puede provocar que el script se detenga. La vulnerabilidad est\u00e1 parcheada en v0.10.63."}], "id": "CVE-2024-27088", "lastModified": "2025-02-05T16:18:38.840", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-02-26T17:15:11.000", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/medikoo/es5-ext/issues/201"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/medikoo/es5-ext/commit/3551cdd7b2db08b1632841f819d008757d28e8e2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/medikoo/es5-ext/commit/a52e95736690ad1d465ebcd9791d54570e294602"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking"], "url": "https://github.com/medikoo/es5-ext/issues/201"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-1333"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}