GHSA-6chw-6frg-f759: 
JavaScript vulnerability analysis and mitigation

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in Acorn, a JavaScript parser. The vulnerability affects versions >= 5.5.0 < 5.7.4, >= 6.0.0 < 6.4.1, and >= 7.0.0 < 7.1.1. The issue was disclosed on March 2, 2020, and published to the GitHub Advisory Database on April 3, 2020. The vulnerability received a high severity CVSS score of 7.5 (GitHub Advisory).

The vulnerability occurs when a regex in the form of /[x-\ud800]/u is processed, causing the parser to enter an infinite loop. The string is not valid UTF16, which typically would be sanitized before reaching the parser. The issue was addressed by implementing more rigorous checks for surrogate pairs in the regexp validator (Acorn Commit). The vulnerability has been assigned CWE-400 and received a CVSS v3.1 base score of 7.5, with metrics indicating network attack vector, low attack complexity, no privileges required, and high impact on availability (Snyk Report).

When exploited, this vulnerability can lead to a total loss of availability, resulting in a Denial of Service condition. The attacker can cause the system to enter an infinite loop, making it unresponsive and denying access to legitimate users. This is particularly impactful when the application processes untrusted input and passes it directly to Acorn (GitHub Advisory, Snyk Report).

The vulnerability has been patched in versions 5.7.4, 6.4.1, and 7.1.1. Users are advised to upgrade to these or later versions to mitigate the vulnerability. The fix involves more rigorous validation of surrogate pairs in the regexp validator (GitHub Advisory, Acorn Issue).