CVE-2024-21539
📋 TL;DR
CVE-2024-21539 is a Regular Expression Denial of Service (ReDoS) vulnerability in @eslint/plugin-kit versions before 0.2.3. Attackers can send specially crafted input to cause excessive CPU consumption and potentially crash applications using this package. This affects any system using vulnerable versions of @eslint/plugin-kit, particularly in development environments or build pipelines.
💻 Affected Systems
- @eslint/plugin-kit
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through CPU exhaustion, causing application crashes and denial of service to legitimate users.
Likely Case
Degraded performance and intermittent service interruptions during development/build processes.
If Mitigated
Minimal impact with proper input validation and resource limits in place.
🎯 Exploit Status
ReDoS vulnerabilities typically require sending specially crafted input to trigger inefficient regex patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.2.3 and later
Vendor Advisory: https://github.com/eslint/rewrite/commit/071be842f0bd58de4863cdf2ab86d60f49912abf
Restart Required: No
Instructions:
1. Update package.json to specify @eslint/plugin-kit version 0.2.3 or higher. 2. Run 'npm update @eslint/plugin-kit' or 'yarn upgrade @eslint/plugin-kit'. 3. Verify the update with 'npm list @eslint/plugin-kit' or 'yarn list @eslint/plugin-kit'.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation and length limits on user-provided data before processing with @eslint/plugin-kit.
Resource limiting
linuxConfigure CPU time limits and process monitoring to prevent excessive resource consumption.
ulimit -t 30 # Limit CPU time to 30 seconds (Linux)
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all user-provided data.
- Deploy resource monitoring and alerting for abnormal CPU usage patterns.
🔍 How to Verify
Check if Vulnerable:
Check package.json or run 'npm list @eslint/plugin-kit' to see installed version.Check Version:
npm list @eslint/plugin-kit | grep @eslint/plugin-kitVerify Fix Applied:
Confirm version is 0.2.3 or higher with 'npm list @eslint/plugin-kit' or check package-lock.json.📡 Detection & Monitoring
Log Indicators:
- Unusually high CPU usage by Node.js processes
- Process crashes or timeouts in ESLint-related tools
- Slow performance in development/build pipelines
Network Indicators:
- Increased response times from affected services
- Service unavailability during development operations
SIEM Query:
process.name:node AND cpu.usage > 90% AND process.args:*eslint*