DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-5478-66C3-RHXR: GHSA-5478-66C3-RHXR: Algorithmic Complexity Denial of Service in @chenglou/pretext

#security #cve #cybersecurity #ghsa

GHSA-5478-66C3-RHXR: Algorithmic Complexity Denial of Service in @chenglou/pretext

Vulnerability ID: GHSA-5478-66C3-RHXR
CVSS Score: 8.7
Published: 2026-04-08

The @chenglou/pretext package contains a high-severity algorithmic complexity vulnerability in its text segmentation logic. By supplying specifically crafted strings of repeated punctuation characters, an attacker can trigger quadratic time complexity O(N^2) during processing. This sustained computation blocks the JavaScript event loop or main thread, leading to a complete Denial of Service (DoS) for the application.

TL;DR

A Denial of Service flaw in @chenglou/pretext < 0.0.5 caused by O(N^2) complexity in text segmentation blocks the JavaScript main thread. Immediate patching to version 0.0.5 is required.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Class: Algorithmic Complexity (DoS)
  • CWE ID: CWE-400
  • CVSS v4.0: 8.7 (High)
  • Attack Vector: Network
  • Impact: High (Availability)
  • Exploit Status: Proof of Concept Available

Affected Systems

  • @chenglou/pretext < 0.0.5
  • @chenglou/pretext: < 0.0.5 (Fixed in: 0.0.5)

Exploit Details

  • Vulnerability Report: Proof of concept demonstrating 20-second thread lock with 80,000 repeating characters.

Mitigation Strategies

  • Dependency Upgrade
  • Input Validation
  • Application-Level Rate Limiting

Remediation Steps:

  1. Audit project dependencies using npm audit or npm ls @chenglou/pretext to identify vulnerable package versions.
  2. Update @chenglou/pretext to version 0.0.5 via package manager (e.g., npm install @chenglou/pretext@^0.0.5).
  3. Implement hard limits on the string length of user-supplied text processed by the application (e.g., maximum 10,000 characters).
  4. Deploy runtime monitoring to detect event loop lag exceeding 500ms, which may indicate attempted exploitation.

References

Read the full report for GHSA-5478-66C3-RHXR on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)