CVE-2024-9506

Name of the Vulnerable Software and Affected Versions Vue (affected versions not specified)

Description The issue is related to an improper regular expression in Vue's parseHTML function, which can lead to a potential regular expression denial of service vulnerability. This flaw, known as a ReDoS (Regular expression Denial of Service), allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption. In a Vue client-side application, this vulnerability can be exploited by creating a new Vue instance with a template string that includes a <script> tag but closes it incorrectly. The time taken to parse and mount the Vue application increases significantly due to the ReDoS vulnerability, demonstrating how the flaw can affect performance.

Recommendations To mitigate this issue, consider disabling the parseHTML function in the html-parser.ts file until a patch is available. Restrict access to the html-parser.ts file to minimize the risk of exploitation. Avoid using the parseHTML function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.