Vulnerability Database

309,130

Total vulnerabilities in the database

@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser

Summary

The ConfigCommentParser#parseJSONLikeConfig API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.

Details

The regular expression at packages/plugin-kit/src/config-comment-parser.js:158 is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with [^-a-zA-Z0-9/].

PoC

const { ConfigCommentParser } = require(&quot;@eslint/plugin-kit&quot;);

const str = `${&quot;A&quot;.repeat(1000000)}?: 1 B: 2`;

console.log(&quot;start&quot;)
var parser = new ConfigCommentParser();
console.log(parser.parseJSONLikeConfig(str));
console.log(&quot;end&quot;)

// run `npm i @eslint/plugin-kit@0.3.3` and `node attack.js`
// then the program will stuck forever with high CPU usage

Impact

This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published: Jul 18, 2025
Updated: Jul 29, 2025
GHSA: GHSA-xffm-g5w8-qvg7
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-1333

Affected Software
References

Software	From	Fixed in
@eslint / plugin-kit	-	0.3.4

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo