CVE-2024-39249

Name of the Vulnerable Software and Affected Versions Async versions 2.6.4 and earlier, Async versions 3.2.5 and earlier

Description The issue concerns a ReDoS (Regular Expression Denial of Service) vulnerability while parsing a function in the autoinject function. It is noted that the supplier disputes this vulnerability, citing that there is no realistic threat model because regular expressions are not used with untrusted input.

Recommendations For Async versions 2.6.4 and earlier, consider updating to a version later than 2.6.4 to resolve the issue. For Async versions 3.2.5 and earlier, consider updating to a version later than 3.2.5 to resolve the issue. As a temporary workaround, consider restricting the use of regular expressions with untrusted input in the autoinject function until a patch is available.