CVE-2021-29486

Name of the Vulnerable Software and Affected Versions: cumulative-distribution-function versions prior to 2.0.0

Description: The issue arises when the cumulative-distribution-function library is used with improper data, potentially causing apps to crash or enter an infinite loop. This can occur in both nodejs server-apps and browser apps when they process invalid non-numeric data. The vulnerability enables an infinite-cpu-loop denial-of-service-attack if an attacker can supply malformed data to the library. It may also manifest if a data source changes from numeric to string data without detection by earlier versions of the library.

Recommendations: For versions prior to 2.0.0, upgrade to at least v2.0.0 or the latest version to resolve the issue. As a temporary workaround for older versions, ensure that only finite numeric data of type Array[number] or number is passed to cumulative-distribution-function and its f(x) function, respectively. Developers using this library may wish to adjust their app's code to better tolerate or handle the TypeError() thrown by version 2.0.0 when it encounters invalid data.