GHSA-fvwr-h9xh-m6wc: 
JavaScript vulnerability analysis and mitigation

A high-severity Denial of Service (DoS) vulnerability was identified in @commercial/subtext package versions prior to 5.1.1. The vulnerability was discovered and reported on September 3, 2020, and affects the npm package @commercial/subtext. This security issue was reviewed on August 31, 2020, and last updated on April 11, 2023. The vulnerability is tracked as GHSA-fvwr-h9xh-m6wc and is associated with CWE-400 (GitHub Advisory).

The vulnerability stems from a failure to properly enforce the maxBytes configuration for payloads with chunked encoding that are written to the file system. This implementation flaw allows for the processing of requests with unconstrained payload sizes, potentially leading to resource exhaustion (GitHub Advisory).

When exploited, this vulnerability can lead to Denial of Service conditions by allowing attackers to send requests with arbitrary payload sizes, which can exhaust system resources. The severity of this vulnerability is rated as High, indicating its significant potential impact on system availability (GitHub Advisory).

Users are strongly recommended to upgrade to version 5.1.1 or later, which contains the patch for this vulnerability. This version implements proper enforcement of the maxBytes configuration for chunked encoding payloads (GitHub Advisory).