This vulnerability is only exploitable when there are numbers with a leading `.` (e.g. `3.14`) or `e` (e.g. `3.14e+1`) in an input not validated by the library. When a user requests a key with a large number, the application will fail to parse the number correctly, causing the server to crash. This is revealed by the following error message in the API console: ``` { "kv": "3.14e+1", "message": "Invalid number: 3.14e+1" } ``` We are not aware of any published exploits for this vulnerability at this time. However, it is recommended to upgrade to a version of the library with a patch for this issue.
What to do if you are currently using a version of the library that is affected by this vulnerabilit
References
Timeline
Published on: 10/21/2022 22:15:00 UTC
Last modified on: 10/24/2022 16:08:00 UTC