-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe core vulnerability stems from src/shared/decomposeName.ts lines 54-57 where user-controlled input (toRemove) is used to create a dangerous regex pattern. This was patched by replacing the regex with string.replace() calls. The getItemIfTarget function enables exploitation by allowing user input to control the toRemove value. Supporting evidence comes from: 1) The security advisory explicitly identifying decomposeName.ts 2) The PoC showing how user input flows through getItemIfTarget 3) Commit diff showing regex removal in decomposeName.ts 4) CWE-1333 mapping to inefficient regex patterns. Other modified functions showed vulnerable regex patterns but were secondary to the main attack vector.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| tf2-item-format | npm | >= 4.2.6, <= 5.9.13 | 5.9.14 |
Ongoing coverage of React2Shell