Denial of Service (DoS)

The fast-string-search npm package, which provides fast substring search using N-API and Boyer-Moore-MagicLen, contains a vulnerability that causes a Denial of Service (DoS) when non-string inputs are provided [1]. The flaw arises because the package does not properly validate input types, leading to incorrect computations that violate memory access permissions [2].

An attacker can exploit this vulnerability by calling functions such as indexOfSkip with a non-string argument (e.g., 1 instead of a string). This triggers a segmentation fault in the Node.js V8 engine, crashing the application [2]. The attack requires no authentication and can be triggered remotely if the application processes user-supplied data through the vulnerable functions.

Successful exploitation results in a complete service outage due to process termination. The vulnerability affects all versions of the package, and no fix is available [2]. The only mitigation is to avoid using the package or to implement input validation to ensure only string arguments are passed to its functions.