Resource Exhaustion Affecting renovate package, versions <38.18.0-r0
Threat Intelligence
EPSS
0.06% (25th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-CHAINGUARDLATEST-RENOVATE-7577303
- published 1 Aug 2024
- disclosed 29 Jul 2024
Introduced: 29 Jul 2024
CVE-2024-41818 Open this link in a new tabHow to fix?
Upgrade Chainguard
renovate
to version 38.18.0-r0 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream renovate
package and not the renovate
package as distributed by Chainguard
.
See How to fix?
for Chainguard
relevant fixed versions and status.
fast-xml-parser is an open source, pure javascript xml parser. a ReDOS exists on currency.js. This vulnerability is fixed in 4.4.1.
References
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/ba5f35e7680468acd7906eaabb2f69e28ed8b2aa
- https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10
- https://github.com/NaturalIntelligence/fast-xml-parser/commit/d0bfe8a3a2813a185f39591bbef222212d856164
- https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-mpg4-rc92-vx8v
CVSS Scores
version 3.1