CWE-624
Executable Regular Expression Error
The product uses a regular expression that either (1) contains an executable component with user-controlled inputs, or (2) allows a user to enable execution by inserting pattern modifiers.
CVE-2024-41655 (GCVE-0-2024-41655)
Vulnerability from cvelistv5
Published
2024-07-23 14:49
Modified
2024-08-02 04:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input. Version `5.9.14` contains a fix for the issue.
References
| ► | URL | Tags |
|---|---|---|
|
|
||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| danocmx | node-tf2-item-format |
Version: >= 4.2.6, < 5.9.14 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:danocmx:node-tf2-item-format:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "node-tf2-item-format",
"vendor": "danocmx",
"versions": [
{
"lessThan": "5.9.14",
"status": "affected",
"version": "4.2.6",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-41655",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-23T14:57:56.367784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T15:59:34.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:46:52.666Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "node-tf2-item-format",
"vendor": "danocmx",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.2.6, \u003c 5.9.14"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "TF2 Item Format helps users format TF2 items to the community standards. Versions of `tf2-item-format` since at least `4.2.6` and prior to `5.9.14` are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any `tf2-item-format` to parse user input. Version `5.9.14` contains a fix for the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-624",
"description": "CWE-624: Executable Regular Expression Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T14:49:34.078Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/danocmx/node-tf2-item-format/security/advisories/GHSA-8h55-q5qq-p685"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/danocmx/node-tf2-item-format/commit/5cffcc16a9261d6a937bda72bfe6830e02e31eec"
},
{
"name": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/danocmx/node-tf2-item-format/releases/tag/v5.9.14"
}
],
"source": {
"advisory": "GHSA-8h55-q5qq-p685",
"discovery": "UNKNOWN"
},
"title": "TF2 Item Format Regular Expression Denial of Service vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-41655",
"datePublished": "2024-07-23T14:49:34.078Z",
"dateReserved": "2024-07-18T15:21:47.481Z",
"dateUpdated": "2024-08-02T04:46:52.666Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Mitigation
Phase: Implementation
Description:
- The regular expression feature in some languages allows inputs to be quoted or escaped before insertion, such as \Q and \E in Perl.
No CAPEC attack patterns related to this CWE.