Async 3.2.5 is vulnerable to ReDoS (Regular Expression Denial of Service) CVE-2024-39249

[dvasilen]

Please assess and address the CVE-2024-39249 in Async 3.2.5

CVE-2024-39249 - Medium Severity Vulnerability

Vulnerable Library - async-3.2.5.tgz

Library home page: https://registry.npmjs.org/async/-/async-3.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /package.json

Dependency Hierarchy:

• ❌ async-3.2.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.

Publish Date: 2024-07-01

URL: CVE-2024-39249

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

[aearly]

This seems incredibly unlikely to be exploitable, except in development. If a user of Async was eval()ing user input and passing functions to autoInject, they would have bigger problems.

[PPKath-1611]

Hi @aearly @caolan , are you guys soon planning to resolve this CVE by publishing a new version for this NPM package ?

[aearly]

No, this is not exploitable except with extremely contrived examples.

[PPKath-1611]

@aearly, if you think so, can you please look & verify why Snyk is mentioning it as a medium severity vulnerability. If possible kindly provide a new patch version of it, as current version 3.2.5 is causing a Medium CVE which is leading to failure of npm vulnerability scan in our build pipeline

[PPKath-1611]

@aearly , Just for your reference, please once go through an observation explained by this author
https://github.com/zunak/CVE-2024-39249
Thanks

[AaronMoat]

@PPKath-1611: I agree with @aearly's comment in full. Please don't nag the the maintainers; false-positive CVEs are a nuisance for everyone.

I've raised a retraction request in the GitHub repository & am contacting NVD asking them to do the same. https://github.com/zunak/CVE-2024-39249/issues/1

If you have a problem with Snyk assessing the 'vulnerability' as medium affecting your builds, contact Snyk, not this maintainer.

[aearly]

Yes, thanks for the backup. For reference everyone, the example code provided involved 500 spaces beween async and (args) => {...} in code a developer would write. It would be as conspicuous in code review as for(var i = 0; i < 1000000000; i++);.

[okuryu]

Snyk appears to have revoked this vulnerability.
https://security.snyk.io/vuln/SNYK-JS-ASYNC-7414156

[aearly]

Okay, closing this issue. I'm also disappointed that Snyk cried wolf on a completely unverified CVE and created a lot of extra work for you all.