CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41818 – ReDOS at currency parsing fast-xml-parser
https://notcve.org/view.php?id=CVE-2024-41818
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1. A regular expression denial of service (ReDoS) flaw was found in fast-xml-parser in the currency.js script. By sending a specially crafted regex input, a remote attacker could cause a denial of service condition. • https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v https://github.com/NaturalIntelligence/fast-xml-parser/commit/ba5f35e7680468acd7906eaabb2f69e28ed8b2aa https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164 https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10 https://access.redhat.com/security/cve/CVE-2024-41818 https://bugzilla.redhat.com/show_bug.cgi?id=2300499 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26920
https://notcve.org/view.php?id=CVE-2023-26920
fast-xml-parser before 4.1.2 allows __proto__ for Prototype Pollution. fast-xml-parser anterior a 4.1.2 permite __proto__ para Prototype Pollution. • https://gist.github.com/Sudistark/a5a45bd0804d522a1392cb5023aa7ef7 https://github.com/NaturalIntelligence/fast-xml-parser/commit/2b032a4f799c63d83991e4f992f1c68e4dd05804 https://github.com/advisories/GHSA-793h-6f7r-6qvm • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •