[GHSA-378v-28hj-76wf] bn.js affected by an infinite loop#7017
Conversation
github-actions
bot
changed the base branch from
main
to
jochenschmich-aeberle/advisory-improvement-7017
There was a problem hiding this comment.
Pull request overview
This pull request updates the security advisory for bn.js CVE-2026-2739 to reflect that version 4.12.3 also fixes the infinite loop vulnerability, in addition to the previously documented fix in version 5.2.3. The PR updates the affected version ranges, adds a reference to the 4.12.3 fix commit, updates the CVSS scoring, and removes the CVSS v3 score while keeping CVSS v4.
Changes:
- Adds version 4.12.3 as an additional fixed version for the 4.x branch
- Updates the vulnerability description to indicate both version branches are fixed
- Adds a reference to the commit that fixes the issue in 4.12.3
- Updates CVSS v4 score (removes Exploit Maturity metric)
- Removes CVSS v3 score
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "ranges": [ | ||
| { | ||
| "type": "ECOSYSTEM", | ||
| "events": [ | ||
| { | ||
| "introduced": "0" | ||
| }, | ||
| { | ||
| "fixed": "5.2.3" | ||
| } | ||
| ] | ||
| } | ||
| ] |
There was a problem hiding this comment.
The two affected package entries have overlapping version ranges, which is incorrect. Both entries specify "introduced": "0", which means they describe the same version range starting from the initial release.
According to the codebase convention (seen in similar advisories like GHSA-2453-mppf-46cj), when a vulnerability affects multiple major version branches of the same package, each entry should specify its own distinct major version range.
For bn.js, which has separate 4.x and 5.x major version branches, the entries should be:
- Entry 1 for the 5.x branch should specify
"introduced": "5.0.0"instead of"introduced": "0" - Entry 2 for the 4.x branch can keep
"introduced": "0"(covering versions before 5.x)
This ensures non-overlapping, accurate version ranges for each affected branch.
| { | ||
| "type": "CVSS_V4", | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" | ||
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" |
There was a problem hiding this comment.
The CVSS v4 score has been modified to remove the Exploit Maturity metric (E:P). The original score was CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P, which indicated that a proof-of-concept exploit exists (E:P).
The updated score CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N removes this exploit maturity information. If a proof-of-concept exploit exists (as referenced in the gist and pull request), removing E:P makes the score less accurate. The Exploit Maturity metric should be retained to provide accurate threat assessment.
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" | |
| "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" |
There was a problem hiding this comment.
@copilot OK, thanks - revert this change - I've introduced it, because I would not be able to save the Advisory form otherwise - the original string was deemed invalid.
github-actions
bot
deleted the
jochenschmich-aeberle-GHSA-378v-28hj-76wf
branch
1 participant
Updates
Comments
4.12.3 also fixes the issue (see indutny/bn.js@67ecb35)