Async 3.2.5 is vulnerable to ReDoS (Regular Expression Denial of Service) CVE-2024-39249 about async HOT 9 CLOSED

@PPKath-1611: I agree with @aearly's comment in full. Please don't nag the the maintainers; false-positive CVEs are a nuisance for everyone.

I've raised a retraction request in the GitHub repository & am contacting NVD asking them to do the same. zunak/CVE-2024-39249#1

If you have a problem with Snyk assessing the 'vulnerability' as medium affecting your builds, contact Snyk, not this maintainer.

from async.

Snyk appears to have revoked this vulnerability.
https://security.snyk.io/vuln/SNYK-JS-ASYNC-7414156

from async.

@aearly, if you think so, can you please look & verify why Snyk is mentioning it as a medium severity vulnerability. If possible kindly provide a new patch version of it, as current version 3.2.5 is causing a Medium CVE which is leading to failure of npm vulnerability scan in our build pipeline

from async.

No, this is not exploitable except with extremely contrived examples.

from async.

Yes, thanks for the backup. For reference everyone, the example code provided involved 500 spaces beween async and (args) => {...} in code a developer would write. It would be as conspicuous in code review as for(var i = 0; i < 1000000000; i++);.

from async.

This seems incredibly unlikely to be exploitable, except in development. If a user of Async was eval()ing user input and passing functions to autoInject, they would have bigger problems.

from async.

Hi @aearly @caolan , are you guys soon planning to resolve this CVE by publishing a new version for this NPM package ?

from async.

@aearly , Just for your reference, please once go through an observation explained by this author
https://github.com/zunak/CVE-2024-39249
Thanks

from async.

Okay, closing this issue. I'm also disappointed that Snyk cried wolf on a completely unverified CVE and created a lot of extra work for you all.

from async.