CVE-2024-41655: (ReDoS) Regular Expression Denial of Service in tf2-item-format
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.29366%
CWE
Published
7/23/2024
Updated
8/2/2024
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tf2-item-format | npm | >= 4.2.6, <= 5.9.13 | 5.9.14 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The core vulnerability stems from src/shared/decomposeName.ts lines 54-57 where user-controlled input (toRemove) is used to create a dangerous regex pattern. This was patched by replacing the regex with string.replace() calls. The getItemIfTarget function enables exploitation by allowing user input to control the toRemove value. Supporting evidence comes from: 1) The security advisory explicitly identifying decomposeName.ts 2) The PoC showing how user input flows through getItemIfTarget 3) Commit diff showing regex removal in decomposeName.ts 4) CWE-1333 mapping to inefficient regex patterns. Other modified functions showed vulnerable regex patterns but were secondary to the main attack vector.