CVE-2023-34109

Name of the Vulnerable Software and Affected Versions zxcvbn-ts versions prior to 3.0.2

Description This issue affects users running on the NodeJS platform who are using the second argument of the zxcvbn function. It can result in unbounded resource consumption as the user inputs array is extended with every function call. Both browsers and NodeJS platforms are impacted, but the effect on browsers requires a significant number of input changes from a single user, whereas the NodeJS process can be more easily affected as it receives inputs from every user of a platform.

Recommendations For versions prior to 3.0.2, upgrade to version 3.0.2 or later. For users unable to upgrade, stop using the second argument of the zxcvbn function and use the zxcvbnOptions.setOptions function instead.