symbolic-cfi is vulnerable to Denial of Service (DoS)
52
Medium Risk
The symbolic-cfi crate converts call frame information from object files into Breakpad ASCII format, including for Windows PE binaries. When processing a PE, AsciiCfiWriter follows the chained UNWIND_INFO list for each function without bounding how many links it traverses. A malformed or adversarial PE whose unwind info forms a self-referential or excessively long chain causes the writer to loop without terminating, pinning CPU and hanging the processing thread. The fix adds a configurable maximum chain length and returns a new ExceededUnwindChainLength error when the limit is exceeded.
You are affected if you are using a version that falls within the vulnerable range and generate CFI from untrusted Windows PE object files.
symbolic-cfi is vulnerable to Denial of Service (DoS) in versions 9.0.0 - 13.7.0.
Upgrade the symbolic-cfi library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant