From 2fa344b6a88b36caca10796077d86f42f7efba89 Mon Sep 17 00:00:00 2001 From: ty3 <109819481+tynus3@users.noreply.github.com> Date: Fri, 1 May 2026 00:08:20 +0800 Subject: [PATCH 1/3] Create asn1-berreader-dos.json --- asn1-berreader-dos/asn1-berreader-dos.json | 57 ++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 asn1-berreader-dos/asn1-berreader-dos.json diff --git a/asn1-berreader-dos/asn1-berreader-dos.json b/asn1-berreader-dos/asn1-berreader-dos.json new file mode 100644 index 0000000000000..169d2b7380644 --- /dev/null +++ b/asn1-berreader-dos/asn1-berreader-dos.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "", + "modified": "2026-05-01T00:00:00Z", + "published": "2026-05-01T00:00:00Z", + "aliases": [], + "summary": "asn1 BerReader.readString() infinite loop on malformed length (CPU DoS)", + "details": "BerReader.readString() in lib/ber/reader.js returns null when the decoded length exceeds the remaining buffer but does NOT advance _offset. Any code iterating children with `while (reader.remain > 0) { reader.readString(...) }` will spin forever: remain never decreases, peek() returns the same tag every iteration. Confirmed: a 2ms heartbeat timer fires 0 times during 200ms of synchronous looping — the Node.js event loop is completely blocked. A single 10-byte packet is sufficient. No authentication required.\n\nDownstream packages sshpk (extKeyUsage loop at x509.js:283), ldapjs (parse-to-message.js:70, pre-auth whole-process DoS), and @ldapjs/asn1 (carries identical fork of the bug) are also affected.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "asn1" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/TritonDataCenter/node-asn1/issues/57" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TritonDataCenter/node-asn1" + }, + { + "type": "WEB", + "url": "https://www.npmjs.com/package/asn1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-835" + ], + "severity": "HIGH", + "github_reviewed": false + } +} From aab40746e2cc0ae65694b9a54afa6c72732e1f41 Mon Sep 17 00:00:00 2001 From: ty3 <109819481+tynus3@users.noreply.github.com> Date: Fri, 1 May 2026 16:46:08 +0800 Subject: [PATCH 2/3] Delete asn1-berreader-dos directory --- asn1-berreader-dos/asn1-berreader-dos.json | 57 ---------------------- 1 file changed, 57 deletions(-) delete mode 100644 asn1-berreader-dos/asn1-berreader-dos.json diff --git a/asn1-berreader-dos/asn1-berreader-dos.json b/asn1-berreader-dos/asn1-berreader-dos.json deleted file mode 100644 index 169d2b7380644..0000000000000 --- a/asn1-berreader-dos/asn1-berreader-dos.json +++ /dev/null @@ -1,57 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "", - "modified": "2026-05-01T00:00:00Z", - "published": "2026-05-01T00:00:00Z", - "aliases": [], - "summary": "asn1 BerReader.readString() infinite loop on malformed length (CPU DoS)", - "details": "BerReader.readString() in lib/ber/reader.js returns null when the decoded length exceeds the remaining buffer but does NOT advance _offset. Any code iterating children with `while (reader.remain > 0) { reader.readString(...) }` will spin forever: remain never decreases, peek() returns the same tag every iteration. Confirmed: a 2ms heartbeat timer fires 0 times during 200ms of synchronous looping — the Node.js event loop is completely blocked. A single 10-byte packet is sufficient. No authentication required.\n\nDownstream packages sshpk (extKeyUsage loop at x509.js:283), ldapjs (parse-to-message.js:70, pre-auth whole-process DoS), and @ldapjs/asn1 (carries identical fork of the bug) are also affected.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" - } - ], - "affected": [ - { - "package": { - "ecosystem": "npm", - "name": "asn1" - }, - "ranges": [ - { - "type": "ECOSYSTEM", - "events": [ - { - "introduced": "0" - } - ] - } - ], - "database_specific": { - "last_known_affected_version_range": "<= 0.2.6" - } - } - ], - "references": [ - { - "type": "WEB", - "url": "https://github.com/TritonDataCenter/node-asn1/issues/57" - }, - { - "type": "PACKAGE", - "url": "https://github.com/TritonDataCenter/node-asn1" - }, - { - "type": "WEB", - "url": "https://www.npmjs.com/package/asn1" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-835" - ], - "severity": "HIGH", - "github_reviewed": false - } -} From e139b35a5a0a7f62e9d47b824f6252034a69f0c1 Mon Sep 17 00:00:00 2001 From: ty3 <109819481+tynus3@users.noreply.github.com> Date: Fri, 1 May 2026 16:47:43 +0800 Subject: [PATCH 3/3] Add advisory: asn1 BerReader infinite loop CPU DoS (CWE-835) --- .../asn1-berreader-dos.json | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json diff --git a/advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json b/advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json new file mode 100644 index 0000000000000..f5ed3f6810bc0 --- /dev/null +++ b/advisories/unreviewed/2026/05/asn1-berreader-dos/asn1-berreader-dos.json @@ -0,0 +1,57 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-PENDING", + "modified": "2026-05-01T00:00:00Z", + "published": "2026-05-01T00:00:00Z", + "aliases": [], + "summary": "asn1 BerReader.readString() infinite loop on malformed length (CPU DoS)", + "details": "BerReader.readString() in lib/ber/reader.js returns null when the decoded length exceeds the remaining buffer but does NOT advance _offset. Any code iterating children with `while (reader.remain > 0) { reader.readString(...) }` will spin forever: remain never decreases, peek() returns the same tag every iteration. Confirmed: a 2ms heartbeat timer fires 0 times during 200ms of synchronous looping — the Node.js event loop is completely blocked. A single 10-byte packet is sufficient. No authentication required.\n\nDownstream packages sshpk (extKeyUsage loop at x509.js:283), ldapjs (parse-to-message.js:70, pre-auth whole-process DoS), and @ldapjs/asn1 (carries identical fork of the bug) are also affected.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "asn1" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.2.6" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/TritonDataCenter/node-asn1/issues/57" + }, + { + "type": "PACKAGE", + "url": "https://github.com/TritonDataCenter/node-asn1" + }, + { + "type": "WEB", + "url": "https://www.npmjs.com/package/asn1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-835" + ], + "severity": "HIGH", + "github_reviewed": false + } +}