Skip to content

Change Request: Vulnerability detected: Regular Expression Denial of Service (ReDoS) via the parseJSONLikeConfig function in the ConfigCommentParser class #208

New issue
New issue
Closed
#209
Closed
Change Request: Vulnerability detected: Regular Expression Denial of Service (ReDoS) via the parseJSONLikeConfig function in the ConfigCommentParser class#208
#209
Assignees
lumirlumir
Labels
acceptedThere is consensus among the team that this change meets the criteria for inclusionenhancementNew feature or request
@igorgiumellizup

Description

@igorgiumellizup
igorgiumellizup
opened on Jul 21, 2025

Environment

ESLint version:
@eslint/css version: 0.10.0
Node version: 23.6.1
npm version: 11.1.0
Operating System: Linux, macOS, Windows

According to Synk report and this GitHub report:

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parseJSONLikeConfig function in the ConfigCommentParser class. An attacker can cause excessive CPU consumption and block execution by providing specially crafted input that triggers inefficient regular expression processing

The reports above mention @eslint/plugin-kit, but apparently the following libs introduce the vulnerability

"@eslint/css": "^0.10.0",
"@eslint/json": "^0.13.0",
"@eslint/markdown": "^7.0.0",

What problem do you want to solve?

Vulnerability

What do you think is the correct solution?

Review the code mentioned in the reports.

Participation

  • I am willing to submit a pull request for this change.

Additional comments

No response

Metadata

Metadata

Assignees

Labels

acceptedThere is consensus among the team that this change meets the criteria for inclusionenhancementNew feature or request

Type

No type

Projects

Triage

Status

Complete

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions