[GHSA-xffm-g5w8-qvg7] @eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser #5852
Conversation
|
Hi there @fasttime! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull Request Overview
This PR updates a security advisory for ESLint's plugin-kit to reduce the severity classification of a Regular Expression Denial of Service (ReDoS) vulnerability from HIGH to MODERATE. The changes reflect a more accurate assessment that ESLint is not network-bound and the ReDoS represents a performance regression rather than a critical security vulnerability.
- Updated CVSS v4 score to reflect local attack vector and lower availability impact
- Changed severity classification from HIGH to MODERATE
- Updated modification timestamp
github-actions
bot
changed the base branch from
main
to
Qix-/advisory-improvement-5852
|
Thanks @Qix-. The original advisory GHSA-xffm-g5w8-qvg7 is low severity as you can see, so I'm not sure why the global advisory was marked as high severity. That should be low severity as well, similarly to a previous one. What do you think @nzakas, @mdjermanovic? |
|
My first guess is that they're going off of established CVSS scores based on historical ReDoS reports, which are often marked with high severity to maximize bug bounty payouts on third party sites (those particular actors typically submitting redos reports are doing so with automated tooling and absurd inputs, looking for a quick buck). I'm not implying that's what you're doing, just that they might be looking for past CVSS scores with the same IRE class. It's part of the reason why I'm so vocal about ReDoS vuln reports these days - been hit by a number of them. Should be addressed for sure, but the chaos and panic that High or Critical reports cause is disproportionate to the risk, by a large margin. I appreciate the response though @fasttime! I agree :) |
|
This should be low severity. This package is used primarily by ESLint itself and ESLint plugins, for which the majority of users are using it as a CLI that is locally installed on their system. As such, there really is no attack vector to exploit this problem. People are using this to lint their own files. If someone were, for some reason, using this package as part of a web server that is exposed to the public, then there could be an attack vector...but that's not really what the package is designed for and I can't imagine why anyone would do that. |
There was a problem hiding this comment.
The CVSS string doesn't make much sense because we can't make assumptions about the environment, but since it's there I think we can update at least some of the positions to match GHSA-7q7g-4xm8-89cq.
| "published": "2025-07-18T20:39:12Z", | ||
| "aliases": [], | ||
| "summary": "@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser", | ||
| "details": "### Summary\n\nThe `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument.\n\n### Details\n\nThe regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`.\n\n### PoC\n\n```javascript\nconst { ConfigCommentParser } = require(\"@eslint/plugin-kit\");\n\nconst str = `${\"A\".repeat(1000000)}?: 1 B: 2`;\n\nconsole.log(\"start\")\nvar parser = new ConfigCommentParser();\nconsole.log(parser.parseJSONLikeConfig(str));\nconsole.log(\"end\")\n\n// run `npm i @eslint/[email protected]` and `node attack.js`\n// then the program will stuck forever with high CPU usage\n```\n\n### Impact\n\nThis is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.", | ||
| "severity": [ | ||
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P" | ||
| "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
| "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" | |
| "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" |
| @@ -51,7 +51,7 @@ | |||
| "cwe_ids": [ | |||
| "CWE-1333" | |||
| ], | |||
| "severity": "HIGH", | |||
| "severity": "MODERATE", | |||
There was a problem hiding this comment.
| "severity": "MODERATE", | |
| "severity": "LOW", |
|
Thank you for bringing this advisory to our attention! We do feel we can better align with the maintainers severity. We agree that the current CVSS score doesn't adequately reflect the advisory's actual risk profile, and would like to work together to establish a more accurate assessment. The proposed CVSS 4.0 score in this PR sets the rating to |
|
Hi @helixplant, do I need to take any action on this PR to incorporate @fasttime's proposed changes (which I agree with)? |
Updates
Comments
ESLint is not network-bound, and this is a performance regression, not a vulnerability. Please stop marking ReDoS vulnerabilities as "high severity". Relative to any other exploit class, there are very few reported in-the-wild exploits of ReDoS and require very perfect-storm situations, unsanitized inputs, and explicit passthrough of untrusted user input to a library that is almost never exposed as a network service.