CVE-2026-49293

EPSS 0.34%
Veröffentlicht 19.06.2026 18:14:20
Zuletzt bearbeitet 23.06.2026 15:57:40
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 6

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellersunnyadn

≫

Produkt js-toml

Version < 1.1.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.256

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-407 Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

https://github.com/sunnyadn/js-toml/security/advisories/GHSA-wp3c-266w-4qfq

https://github.com/sunnyadn/js-toml/commit/1abcb31dc7b1fa88e4c848a8d108891cfbb96fa2

https://github.com/sunnyadn/js-toml/releases/tag/v1.1.1

https://nvd.nist.gov/vuln/detail/CVE-2026-49293

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-49293

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-49293

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-49293