7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41655

GHSA ID

GHSA-8h55-q5qq-p685

EPSS Score

0.29366%

CWE

CWE-624

Published

7/23/2024

Updated

8/2/2024

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-41655

CVE-2024-41655: (ReDoS) Regular Expression Denial of Service in tf2-item-format

Summary

Versions of tf2-item-format since at least 4.2.6 are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when parsing crafted user input.

Tested Versions

5.9.13
5.8.10
5.7.0
5.6.17
4.3.5
4.2.6

v5

Upgrade package to ^5.9.14

v4

No patch exists. Please consult the v4 to v5 migration guide to upgrade to v5.

If upgrading to v5 is not possible, fork the module repository and implement the fix detailed below.

Impact

This vulnerability can be exploited by an attacker to perform DoS attacks on any service that uses any tf2-item-format to parse user input.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-41655

GHSA ID

GHSA-8h55-q5qq-p685

EPSS Score

0.29366%

CWE

CWE-624

Published

7/23/2024

Updated

8/2/2024

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
tf2-item-format	npm	>= 4.2.6, <= 5.9.13	5.9.14

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from src/shared/decomposeName.ts lines 54-57 where user-controlled input (toRemove) is used to create a dangerous regex pattern. This was patched by replacing the regex with string.replace() calls. The getItemIfTarget function enables exploitation by allowing user input to control the toRemove value. Supporting evidence comes from: 1) The security advisory explicitly identifying decomposeName.ts 2) The PoC showing how user input flows through getItemIfTarget 3) Commit diff showing regex removal in decomposeName.ts 4) CWE-1333 mapping to inefficient regex patterns. Other modified functions showed vulnerable regex patterns but were secondary to the main attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry V*rsions o* `t**-it*m-*orm*t` sin** *t l**st `*.*.*` *r* vuln*r**l* to * R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) *tt**k w**n p*rsin* *r**t** us*r input. ## T*st** V*rsions - `*.*.**` - `*.*.**` - `*.*.*` - `*.*.**` - `*.*.*` - `*.

Reasoning

T** *or* vuln*r**ility st*ms *rom `sr*/s**r**/***ompos*N*m*.ts` lin*s **-** w**r* us*r-*ontroll** input (toR*mov*) is us** to *r**t* * **n**rous r***x p*tt*rn. T*is w*s p*t**** *y r*pl**in* t** r***x wit* `strin*.r*pl***()` **lls. T** `**tIt*mI*T*r**

7.5

Basic Information

Concerned about an active attack path?

CVE-2024-41655: (ReDoS) Regular Expression Denial of Service in tf2-item-format

Summary

Tested Versions

v5

v4

Impact

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI