[GHSA-378v-28hj-76wf] bn.js affected by an infinite loop

[richardsimko]

Updates

• Affected products
• CVSS v3
• CVSS v4
• Severity

Comments
indutny/bn.js#316 (comment)

4.12.3 has been released as well to address the vulnerability

[richardsimko]

I don't know why the severity was changed, the form wouldn't let me submit with the existing data for some reason but my change there is unintentional.

[Copilot]

Pull request overview

This PR updates the security advisory for bn.js vulnerability GHSA-378v-28hj-76wf to reflect the release of version 4.12.3 and adjusts severity ratings.

Changes:

• Updated CVSS v4 score to reflect lower severity
• Added version 4.12.3 as a fix alongside 5.2.3
• Changed overall severity from MODERATE to LOW
• Removed CVSS v3 scoring
• Added database-specific metadata for affected version range

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The 'fixed' field appears to contain multiple version numbers in a comma-separated string format. This is inconsistent with typical JSON schema patterns for version ranges, which usually use an array structure. If this field is meant to represent multiple fixed versions, it should be an array like ['5.2.3', '4.12.3']. Verify the expected schema format for this field.

Suggested change

	"fixed": "5.2.3,4.12.3"
	"fixed": ["5.2.3", "4.12.3"]

[Copilot]

The CVSS v4 score has all impact metrics set to 'N' (None), including VA:N (Vulnerability Availability). This is inconsistent with the vulnerability description which states methods 'enter an infinite loop, hanging the process indefinitely', which should result in availability impact. The original score had VA:L which appears more accurate for a DoS vulnerability.

Suggested change

	"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
	"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"

[richardsimko]

Closing in favor of #7000 that doesn't have the unintended changes