Miggo Logo
Miggo Vulnerability Database
CVE-2021-29057

CVE-2021-29057: SUCHMOKUO node-worker-threads-pool denial of service Vulnerability

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-29057
GHSA ID
GHSA-7vxc-q7rv-qfj8
EPSS Score
0.16909%
CWE
CWE-400
Published
8/11/2023
Updated
10/3/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
node-worker-threads-poolnpm<= 1.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues: 1) The exec method's lack of default timeout allows infinite loops to permanently occupy worker threads. 2) The StaticPool constructor fails to enforce resource limits by default. Together, they enable CWE-400/CWE-770 scenarios where attackers can submit blocking tasks to exhaust all workers. The GitHub issue #20 explicitly demonstrates this by showing how un-terminated tasks block subsequent executions, and the advisory confirms mitigation requires manual timeout configuration rather than built-in protections.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in St*ti*Pool in SU**MOKUO no**-work*r-t*r***s-pool v*rsion *.*.* t**t *llows *tt**k*rs to **us* * **ni*l o* s*rvi**. T*is **n ** miti**t** *y m*nu*lly *r**tin* * tim*out. *or *x*mpl*: ```ts *onst { St*ti*Pool } = r*quir*(\"

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *) T** `*x**` m*t*o*'s l**k o* ****ult tim*out *llows in*init* loops to p*rm*n*ntly o**upy work*r t*r***s. *) T** `St*ti*Pool` *onstru*tor **ils to *n*or** r*sour** limits *y ****ult. To**t**r, t**y *n**l*