CVE-2022-37260

A Regular Expression Denial of Service (ReDoS) vulnerability exists in stealjs steal version 2.2.4. The issue is located in the main.js file, where a regular expression in the input variable suffers from catastrophic backtracking, leading to excessive CPU consumption when processing crafted input [1][2][4].

An attacker can exploit this by providing a specially crafted string to the module loader's input, triggering the vulnerable regex pattern. No authentication is required if the application processes untrusted input, making the attack surface accessible over the network [2].

The impact is a denial of service condition, where the CPU becomes saturated, potentially causing the application to become unresponsive. This can disrupt service availability for legitimate users [1][2].

As of the advisory, the vendor was notified and the issue is documented on the project's GitHub page. Users are advised to monitor the repository for a patched release and apply input validation as a temporary workaround [1][2].