fast-xml-parser 4.2.5 vulnerability

[nileshtrivedi]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

Our system reported a vulnerability in fast-xml-parser:

fast-xml-parser vulnerable to ReDOS at currency parsing

Summary: A ReDOS exists on currency.js was discovered by Gauss Security Labs R&D team.
Details : https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/src/v5/valueParsers/currency.js#L10 contains a vulnerable regex
PoC: pass the following string '\t'.repeat(13337) + '.'
Impact: Denial of service during currency parsing in experimental version 5 of fast-xml-parser-library

The patched version is 4.4.1 but aws-sdk is bringing in a vulnerable version 4.2.5.

SDK version number

@aws-sdk/core@3.598.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.11.0

Reproduction Steps

npm install @aws-sdk/core@3.598.0

Observed Behavior

fast-xml-parser version 4.2.5 is installed

Expected Behavior

fast-xml-parser version should be 4.4.1 or above.

Possible Solution

No response

Additional Information/Context

See this GitHub Advisory: GHSA-mpg4-rc92-vx8v

[nileshtrivedi]

I noticed this has been fixed in v3.621.0.

Closing.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.