CVE-2021-29057: SUCHMOKUO node-worker-threads-pool denial of service Vulnerability
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.16909%
CWE
Published
8/11/2023
Updated
10/3/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| node-worker-threads-pool | npm | <= 1.4.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key issues: 1) The exec method's lack of default timeout allows infinite loops to permanently occupy worker threads. 2) The StaticPool constructor fails to enforce resource limits by default. Together, they enable CWE-400/CWE-770 scenarios where attackers can submit blocking tasks to exhaust all workers. The GitHub issue #20 explicitly demonstrates this by showing how un-terminated tasks block subsequent executions, and the advisory confirms mitigation requires manual timeout configuration rather than built-in protections.