Skip to content

Add advisory: asn1 BerReader infinite loop CPU DoS (CWE-835)#7561

Closed
tynus3 wants to merge 3 commits into
github:tynus3/advisory-improvement-7561from
tynus3:main
Closed

Add advisory: asn1 BerReader infinite loop CPU DoS (CWE-835)#7561
tynus3 wants to merge 3 commits into
github:tynus3/advisory-improvement-7561from
tynus3:main

Conversation

@tynus3
Copy link
Copy Markdown

@tynus3 tynus3 commented Apr 30, 2026

New vulnerability in npm package asn1 v0.2.6 (latest).

Downstream confirmed affected: sshpk (21.9M/week), ldapjs (322k/week, decommissioned),
@ldapjs/asn1 (204k/week, decommissioned). Separate advisories for those to follow.

No CVE assigned yet — requesting GHSA ID assignment.

Copilot AI review requested due to automatic review settings April 30, 2026 16:10
Copilot AI reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@tynus3
Copy link
Copy Markdown
Author

tynus3 commented Apr 30, 2026

This is a new issue without an existing GHSA ID. The CI failure ("unable to match file to existing advisory") is expected — I understand the normal contribution process requires an existing GHSA entry. Could a GitHub staff member create a draft GHSA for npm/asn1 so I can update it, or advise on the correct intake process for new untracked vulnerabilities? The package is unmaintained (last release Nov 2021) so there is no maintainer to file a private advisory with.

@github-actions github-actions Bot changed the base branch from main to tynus3/advisory-improvement-7561 May 1, 2026 08:48
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label May 18, 2026
@shelbyc
Copy link
Copy Markdown
Contributor

shelbyc commented May 20, 2026

Hi @tynus3, per the GHAD's contributing guidelines isn't for coordinating disclosure or for escalating a case where a maintainer is unresponsive. Because GitHub's CNA scope limits us to "CVEs requested by code owners using the GitHub Security Advisories feature," you'll need to go to a CNA that is not GitHub, such as MITRE (https://cveform.mitre.org), to receive a CVE.

@shelbyc shelbyc closed this May 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

Stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tynus3 @shelbyc