CVE-2024-34075

Name of the Vulnerable Software and Affected Versions kurwov versions prior to 3.2.5

Description The issue arises from an unsafe sanitization of dataset contents on the MarkovData#getNext method used in Markov#generate and Markov#choose. This allows a maliciously crafted string on the dataset to throw and stop the function from running properly. If a string contains a forbidden substring (i.e. proto) followed by a space character, the code will access a special property in MarkovData#finalData by removing the last character of the string, bypassing the dataset sanitization. Any dataset can be contaminated with the substring, making it unable to properly generate anything in some cases.

Recommendations For kurwov versions prior to 3.2.5, upgrade to version 3.2.5 to address the issue. As a temporary workaround, consider avoiding the use of the MarkovData#getNext method or restricting access to contaminated datasets until the upgrade is applied. Additionally, refrain from using the proto substring in dataset strings to minimize the risk of exploitation.