Regular Expression Denial of Serviceacorn
Affected versions of
acorn are vulnerable to Regular Expression Denial of Service. A regex in the form of
/[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser. If an application processes untrusted input and passes it directly to
acorn, attackers may leverage the vulnerability leading to Denial of Service.
Upgrade to versions 5.7.4, 6.4.1, 7.1.1 or later.
publishedAdvisory PublishedMar 6th, 2020
reportedReported by Peter van der ZeeMar 2nd, 2020