GHSA-p4qw-7j9g-5h53
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p4qw-7j9g-5h53
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-p4qw-7j9g-5h53/GHSA-p4qw-7j9g-5h53.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p4qw-7j9g-5h53
- Aliases
- Published
- 2025-04-07T21:11:19Z
- Modified
- 2025-04-08T17:49:39Z
- Severity
-
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- ts-asn1-der has Incorrect DER Encoding of Numbers Leading to Denial of Service and Incorrect Value Representation
- Details
-
Impact
Incorrect
numberDER encoding can lead to denial on service for absolute values in the range2**31--2**32 - 1. The arithmetic in thenumBitLendidn't take into account that values in this range could result in a negative result upon applying the>>operator, leading to an infinite loop.In addition,
numberencoding had a few other issues that resulted it in it not encoding values correctly.Patches
The issue is patched in version
1.0.4. Users are recommended to upgrade as soon as possible.Workarounds
If upgrading is not an option, the issue can be mitigated by validating inputs to
Asn1Integerto ensure that they are not smaller than-2**31 + 1and no larger than2**31 - 1. AlthoughAsn1Integersupportsbigintinputs, some additional implementation issues make usingbigintas a mitigation inviable, as it will result in incorrect values.If upgrading is not an option and range checks are impractical or undesirable, input to
Asn1Integercan be provided as a buffer to be used directly. Note that this requires computing the correct DER encoding externally.References
N/A
- Database specific
{ "nvd_published_at": "2025-04-07T21:15:42Z", "cwe_ids": [ "CWE-1335", "CWE-835" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-07T21:11:19Z" }- References
Affected packages
npm / @apeleghq/asn1-der
Package
- Name
- @apeleghq/asn1-der
- View open source insights on deps.dev
- Purl
- pkg:npm/%40apeleghq/asn1-der