PT-2024-29484 · Unknown · Tf2-Item-Format

Piman51277

Published

2024-07-23

Updated

2024-07-24

CVE-2024-41655

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions tf2-item-format versions 4.2.6 through 5.9.13

Description The issue is related to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input. This can be exploited by an attacker to perform DoS attacks on any service that uses tf2-item-format to parse user input.

Recommendations For versions 4.2.6 through 5.8.10, upgrade the package to version 5.9.14. For version 5.9.13, upgrade the package to version 5.9.14. For versions prior to 5.9.14, consider upgrading to version 5.9.14 to resolve the issue. If upgrading to v5 is not possible, consider forking the module repository and implementing the fix detailed in the v4 to v5 migration guide.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-624

Related Identifiers

CVE-2024-41655

GHSA-8H55-Q5QQ-P685

Affected Products

Tf2-Item-Format

PT-2024-29484 · Unknown · Tf2-Item-Format

CVE-2024-41655

Weakness Enumeration

Related Identifiers

Affected Products

References · 9