CVE-2024-41818: 
JavaScript vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in fast-xml-parser, an open source pure JavaScript XML parser. The vulnerability (CVE-2024-41818) exists in the currency.js file and affects version 4.2.4. The issue was discovered by Gauss Security Labs R&D team and was fixed in version 4.4.1 (GitHub Advisory).

The vulnerability exists in the currency parsing functionality of the library, specifically in the regular expression implementation within currency.js. The vulnerable code is located at line 10 of the currency.js file. The vulnerability can be triggered by passing a specially crafted string consisting of repeated tab characters followed by a period. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (GitHub Advisory).

The vulnerability can lead to a Denial of Service condition during currency parsing in the experimental version 5 of the fast-xml-parser library. When exploited, it can cause the application to become unresponsive, affecting the availability of the service (GitHub Advisory).

Users should upgrade to version 4.4.1 or later which contains the fix for this vulnerability. The fix includes implementing a maximum length check for the input string before processing (GitHub Patch).