Miggo Logo

CVE-2021-29486: cumulative-distribution-function Infinite Loop vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.702%
Published
5/4/2021
Updated
1/29/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
cumulative-distribution-functionnpm< 2.0.02.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability manifests in two key phases:

  1. The cdf() entry point fails to validate input data types, allowing non-numeric values into the processing pipeline (CWE-20).
  2. The generated f(x) function's bisection search loop (while(true)) becomes unreachable when comparing string values, causing infinite CPU consumption (CWE-835).

Runtime detection would show:

  • The cdf() function during input processing
  • The anonymous f(x) evaluation function in a tight loop during exploitation

Patch changes confirm these points by adding type checks in cdf() and loop limits in f(x), directly addressing these two vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * *pps usin* t*is li*r*ry on improp*r **t* m*y *r*s* or *o into *n in*init*-loop * In t** **s* o* * no**js s*rv*r-*pp usin* t*is li*r*ry to **t on inv*li* non-num*ri* **t*, t** no**js s*rv*r m*y *r*s*. T*is m*y *****t ot**r us*rs o* t*is

Reasoning

T** vuln*r**ility m*ni**sts in two k*y p**s*s: *. T** ***() *ntry point **ils to v*li**t* input **t* typ*s, *llowin* non-num*ri* v*lu*s into t** pro**ssin* pip*lin* (*W*-**). *. T** **n*r*t** *(x) *un*tion's *is**tion s**r** loop (w*il*(tru*)) ***om*