-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScript| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| financejs | npm | <= 4.1.0 |
Miggo AIRoot Cause AnalysisThe vulnerability lies in the 'IRR' function of 'finance.js', which is susceptible to a Denial of Service attack. The root cause is the improper handling of the 'depth' parameter, which is intended to limit the number of iterations in the internal rate of return calculation. An attacker can supply a very large value for 'depth', causing the 'seekZero' function, which is called by 'IRR', to enter a nearly infinite loop. The 'seekZero' function's 'while' loops are the direct cause of the excessive CPU consumption. The 'IRR' function is the entry point for the vulnerability as it takes the malicious input. A runtime profiler would likely show both 'Finance.prototype.IRR' and 'seekZero' in the stack trace during an exploit, as 'IRR' calls 'seekZero' to perform the calculation. The lack of input validation on the 'depth' parameter allows for the allocation of resources without limits, leading to the DoS condition.
Ongoing coverage of React2Shell