diff --git a/advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json b/advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json new file mode 100644 index 0000000000000..f5ed3f6810bc0 --- /dev/null +++ b/advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-PENDING", + "modified": "2026-05-01T00:00:00Z", + "published": "2026-05-01T00:00:00Z", + "aliases": [], + "summary": "asn1 BerReader.readString() infinite loop on malformed length (CPU DoS)", + "details": "BerReader.readString() in lib/ber/reader.js returns null when the decoded length exceeds the remaining buffer but does NOT advance _offset. Any code iterating children with `while (reader.remain > 0) { reader.readString(...) }` will spin forever: remain never decreases, peek() returns the same tag every iteration. Confirmed: a 2ms heartbeat timer fires 0 times during 200ms of synchronous looping — the Node.js event loop is completely blocked. A single 10-byte packet is sufficient. No authentication required.\n\nDownstream packages sshpk (extKeyUsage loop at x509.js:283), ldapjs (parse-to-message.js:70, pre-auth whole-process DoS), and @ldapjs/asn1 (carries identical fork of the bug) are also affected.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "asn1" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/TritonDataCenter/node-asn1/issues/57" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TritonDataCenter/node-asn1" + }, + { + "type": "WEB", + "url": "https://www.npmjs.com/package/asn1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-835" + ], + "severity": "HIGH", + "github_reviewed": false + } +}