GHSA-7vxc-q7rv-qfj8

Suggest an improvement
Source
https://github.com/advisories/GHSA-7vxc-q7rv-qfj8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-7vxc-q7rv-qfj8/GHSA-7vxc-q7rv-qfj8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7vxc-q7rv-qfj8
Aliases
  • CVE-2021-29057
Published
2023-08-11T15:30:46Z
Modified
2024-10-03T17:26:26Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
SUCHMOKUO node-worker-threads-pool denial of service Vulnerability
Details

An issue was discovered in StaticPool in SUCHMOKUO node-worker-threads-pool version 1.4.3 that allows attackers to cause a denial of service.

This can be mitigated by manually creating a timeout. For example:

const { StaticPool } = require(\"node-worker-threads-pool\");

    const staticPool = new StaticPool({
 size: 1,
 task: (n) => {
 while (n) {
 console.log(\"a\");
 }
 return n;
 }
});

 staticPool.createExecutor().setTimeout(10).exec(1).then((result) => {
 console.log(\"result from thread pool:\", result);
}).catch(() => console.error('timeout'));
Database specific 
{
    "nvd_published_at": "2023-08-11T14:15:12Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-11T22:16:44Z"
}
References

Affected packages

npm / node-worker-threads-pool

Package

Name
node-worker-threads-pool
View open source insights on deps.dev
Purl
pkg:npm/node-worker-threads-pool

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.4.3