CVE-2023-43646

Name of the Vulnerable Software and Affected Versions get-func-name versions prior to 2.0.1

Description The issue is related to a regular expression denial of service (redos) vulnerability in the get-func-name module, which can lead to a denial of service when parsing malicious input. This vulnerability can be exploited when there is an imbalance in parentheses, resulting in excessive backtracking and increased CPU load and processing time. The vulnerability can be triggered using a specific input, such as 't'.repeat(54773) + 't/function/i'. The regex implementation in question is susceptible to excessive backtracking, leading to potential DoS attacks.

Recommendations For versions prior to 2.0.1, upgrade to version 2.0.1 or later to address the issue. As a temporary workaround, consider restricting the use of the vulnerable functionNameMatch regex implementation until a patch is available. Avoid using the functionNameMatch regex with untrusted input until the issue is resolved. At the moment, there are no known workarounds for this vulnerability other than upgrading to a fixed version.