Regular Expression Denial of Service in Acorn

Affected versions of acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to acorn, attackers may leverage the vulnerability leading to Denial of Service.

Published: Apr 3, 2020
Updated: Apr 14, 2023
GHSA: GHSA-6chw-6frg-f759
Severity: High
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-400

Affected Software
References

Software	From	Fixed in
acornjs / acorn	5.5.0	5.7.4
acornjs / acorn	6.0.0	6.4.1
acornjs / acorn	7.0.0	7.1.1

https://github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802
https://github.com/acornjs/acorn/issues/929
https://snyk.io/vuln/SNYK-JS-ACORN-559469
https://www.npmjs.com/advisories/1488

Vulnerability Database

290,301

Regular Expression Denial of Service in Acorn