Intel

AIKIDO-2026-735017

@statsig/statsig-node-core is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

45

Medium Risk

This Affects:

JS@statsig/statsig-node-core
0.4.0 - 0.19.4
Fixed in 0.19.5
Are you affected? Scan for Free

TL;DR

The ExposureSampling component in the shared Rust core deduplicates exposure events using an in-memory set keyed by an exposure sampling key. Entries are added for every unique key and the set is only emptied on a periodic reset or after it grows past a fixed size, so memory accumulates with the number of distinct keys seen between resets. Applications that produce many unique exposure keys, such as evaluating gates or experiments for high-cardinality per-request users, can drive unbounded memory growth and exhaust process memory. The fix replaces the unbounded set with a bounded LruCache and adds a configurable exposure_dedupe_max_keys cap that evicts least-recently-used entries once the limit is reached.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@statsig/statsig-node-core is vulnerable to Denial of Service (DoS) in versions 0.4.0 - 0.19.4.

How to fix this

Upgrade the @statsig/statsig-node-core library to the patch version.