symbolic-debuginfo is vulnerable to Denial of Service (DoS)
33
Low Risk
The library parses debug information formats such as ELF and Breakpad from potentially untrusted files. When locating ELF sections it assumes section names begin with a . and slices section data using raw file offsets and sizes without bounds checks, so a malformed section name or an invalid offset/size can trigger a panic or out-of-bounds read. When parsing Breakpad objects it also follows inline records without any nesting-depth limit, so deeply nested inline data can cause excessive processing. The fix skips sections with unexpected names, uses bounds-checked slicing, and enforces a maximum inline nesting depth.
You are affected if you are using a version that falls within the vulnerable range and your application parses untrusted or malformed ELF or Breakpad debug files with the library.
symbolic-debuginfo is vulnerable to Denial of Service (DoS) in versions 2.0.4 - 13.8.0.
Upgrade the symbolic-debuginfo library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

I consent to receiving marketing communications based on Aikido’s Privacy Policy.
SOC 2Compliant
ISO 27001Compliant