Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-34075

Good to know:

icon

Date: May 3, 2024

kurwov is a fast, dependency-free library for creating Markov Chains. An unsafe sanitization of dataset contents on the "MarkovData#getNext" method used in "Markov#generate" and "Markov#choose" allows a maliciously crafted string on the dataset to throw and stop the function from running properly. If a string contains a forbidden substring (i.e. "__proto__") followed by a space character, the code will access a special property in "MarkovData#finalData" by removing the last character of the string, bypassing the dataset sanitization (as it is supposed to be already sanitized before this function is called). Any dataset can be contaminated with the substring making it unable to properly generate anything in some cases. This issue has been addressed in version 3.2.5 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: C

Severity Score

Related Resources (6)

https://github.com/xiboon/kurwov/blob/0d58dfa42135ab40e830e92622857282f980ca89/src/MarkovData.ts#L38-L44
https://github.com/xiboon/kurwov
https://nvd.nist.gov/vuln/detail/CVE-2024-34075
https://github.com/xiboon/kurwov/commit/85d63e652594f121d6656177d7a3c0d823c976c9
https://github.com/xiboon/kurwov/security/advisories/GHSA-hfrv-h3q8-9jpr
https://www.mend.io/vulnerability-database/CVE-2024-34075

Severity Score

Weakness Type (CWE)

Deserialization of Untrusted Data

CWE-502

Top Fix

icon

Upgrade Version

Upgrade to version kurwov - 3.2.5

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): NONE
Availability (A): HIGH

Do you need more information?

Contact Us