Bug 2295035 (CVE-2024-39249)

Summary: CVE-2024-39249 nodejs-async: Regular expression denial of service while parsing function in autoinject
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aarif, abarbaro, adudiak, akostadi, alcohan, amasferr, amctagga, anjoseph, aprice, aschwart, asoldano, bbaranow, bdettelb, bmaxwell, boliveir, brian.stansberry, brking, caswilli, cbartlet, cdewolf, chazlett, danken, darran.lofthouse, dbosanac, dfreiber, dhanak, dholler, dkenigsb, dkreling, dkuc, dmayorov, doconnor, dosoudil, drichtar, drosa, drow, dsimansk, epacific, fdeutsch, fjansen, fjuma, gkamathe, gmalinko, gparvin, haoli, hkataria, ibek, istudens, ivassile, iweiss, jajackso, janstey, jburrell, jcammara, jchui, jforrest, jhardy, jhe, jkoehler, jkoops, jlledo, jmitchel, jneedle, jobarker, jprabhak, jreimann, jrokos, jsamir, jwong, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lbainbri, lgao, lilhuang, lphiri, luizcosta, mabashia, manissin, matzew, mdessi, mkleinhe, mmakovy, mnovotny, mosmerov, mpierce, mposolda, mrizzi, msochure, mstefank, msvehla, mulliken, nboldt, njean, nsoni, nwallace, nweather, oezr, omaciel, oramraz, owatkins, pahickey, pbraun, pcattana, pdelbell, pdrozd, peholase, pesilva, phoracek, pierdipi, pjindal, pmackay, pskopek, psrna, rbobbitt, rguimara, rhaigner, rhuss, rjohnson, rmartinc, rowaters, rstancel, rstepani, rtaniwa, sausingh, sdawley, shvarugh, simaishi, smaestri, smcdonal, smullick, ssilvert, stcannon, sthorger, stirabos, teagle, tfister, thason, thavo, tjochec, tkral, tom.jenkinson, vkumar, vmuzikar, wtam, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the async Node.js package. A Regular expression Denial of Service (ReDoS) attack can potentially be triggered via the autoinject function while parsing specially crafted input.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2296999, 2297000, 2297001, 2297002, 2297003, 2297004, 2297007, 2297008, 2297009, 2297010, 2297011, 2297012, 2297013    
Bug Blocks:    

Description OSIDB Bzimport 2024-07-01 20:20:38 UTC 
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function.
Comment 1 Robb Gatica 2024-07-01 21:27:15 UTC 
References:
https://github.com/zunak/CVE-2024-39249
https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L6
https://github.com/caolan/async/blob/v3.2.5/lib/autoInject.js#L41
Comment 6 errata-xmlrpc 2024-10-01 09:03:43 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.5

Via RHSA-2024:7443 https://access.redhat.com/errata/RHSA-2024:7443
Comment 9 errata-xmlrpc 2024-12-04 01:00:00 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.6

Via RHSA-2024:10775 https://access.redhat.com/errata/RHSA-2024:10775
Comment 16 errata-xmlrpc 2025-06-04 01:58:48 UTC 
This issue has been addressed in the following products:

  RHODF-4.16-RHEL-9

Via RHSA-2025:8479 https://access.redhat.com/errata/RHSA-2025:8479
Comment 17 errata-xmlrpc 2025-06-04 20:11:44 UTC 
This issue has been addressed in the following products:

  RHODF-4.15-RHEL-9

Via RHSA-2025:8544 https://access.redhat.com/errata/RHSA-2025:8544
Comment 18 errata-xmlrpc 2025-06-04 22:59:11 UTC 
This issue has been addressed in the following products:

  RHODF-4.14-RHEL-9

Via RHSA-2025:8551 https://access.redhat.com/errata/RHSA-2025:8551