Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2023-43646

Good to know:

icon

Date: September 27, 2023

get-func-name is a module to retrieve a function's name securely and consistently both in NodeJS and the browser. Versions prior to 2.0.1 are subject to a regular expression denial of service (redos) vulnerability which may lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, which results in excessive backtracking and subsequently increases the CPU load and processing time significantly. This vulnerability can be triggered using the following input: '\t'.repeat(54773) + '\t/function/i'. This issue has been addressed in commit `f934b228b` which has been included in releases from 2.0.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: JS

Severity Score

Related Resources (5)

https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
https://security-tracker.debian.org/tracker/CVE-2023-43646
https://nvd.nist.gov/vuln/detail/CVE-2023-43646
https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
https://www.mend.io/vulnerability-database/CVE-2023-43646

Severity Score

Weakness Type (CWE)

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Inefficient Regular Expression Complexity

CWE-1333

Top Fix

icon

Upgrade Version

Upgrade to version get-func-name - 2.0.1,3.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us