CVE-2024-43380

Name of the Vulnerable Software and Affected Versions fugit versions prior to 1.11.1

Description The fugit "natural" parser, which turns natural language into cron expressions, accepted any length of input and attempted to parse it without returning promptly. This could cause the parse call to hold the thread indefinitely. Fugit dependents that do not check user input length for plausibility are impacted.

Recommendations For fugit versions prior to 1.11.1, update to version 1.11.1 to resolve the issue. As a temporary workaround, ensure that Fugit.parse(s), Fugit.do parse(s), Fugit.parse nat(s), Fugit.do parse nat(s), Fugit::Nat.parse(s), and Fugit::Nat.do parse(s) are not fed strings that are too long, such as limiting input to 1000 characters or less, to prevent the parser from stalling.