CVE-2024-41655: 
JavaScript vulnerability analysis and mitigation

TF2 Item Format, a tool that helps users format TF2 items to community standards, contains a Regular Expression Denial of Service (ReDoS) vulnerability. Versions since at least 4.2.6 and prior to 5.9.14 are affected when parsing crafted user input. The vulnerability was discovered in July 2024 and has been assigned CVE-2024-41655 (GitHub Advisory).

The vulnerability stems from improper regular expression handling in the decomposeName.ts file. The issue occurs when both itemName and toRemove parameters originate from user input, allowing exploitation through catastrophic backtracking. The vulnerability is triggered under specific conditions where attributes.usableItem is truthy and either attributes.usableItem.output or attributes.usableItem.target are falsy. The CVSS v3.1 score is 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

An attacker can exploit this vulnerability to perform Denial of Service (DoS) attacks on any service that uses tf2-item-format to parse user input. When exploited, the attack can cause the server to hang due to excessive resource consumption during regular expression processing (GitHub Advisory).

Users are advised to upgrade to version 5.9.14 or later, which contains a fix for the vulnerability. For version 4 users, no direct patch exists, and they should consult the v4 to v5 migration guide to upgrade. If upgrading to v5 is not possible, users can fork the module repository and implement the fix by replacing the vulnerable regular expression with direct string replacements (GitHub Commit, GitHub Release).