Description
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.
Published: 2026-06-19
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when js‑toml parses radix‑prefixed integer literals. Its hand‑written BigInt parser multiplies the accumulator by the radix for each digit, making the total cost quadratic in the literal length. An attacker can supply a very long hexadecimal, octal, or binary literal in a TOML document, causing the parser to perform a quadratic number of BigInt multiplications and saturate a CPU core. The result is a single‑request CPU‑exhaustion denial‑of‑service that can render a node process unresponsive. The weakness maps to CWE‑1333 (Excessive CPU Usage), CWE‑400 (Uncontrolled Resource Consumption), and CWE‑407 (Inefficient Algorithm).

Affected Systems

The affected product is the js‑toml TOML parser library maintained by sunnyadn. Versions up to and including 1.1.0 (inclusive) are vulnerable, while version 1.1.1 introduces the fix. Any JavaScript runtime that loads vulnerable toml via the library’s load() function—such as configuration upload endpoints, CI/CD pipelines, IDE plugins, or build tools that parse third‑party *.toml files—may be exposed.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating high severity. EPSS is not available, and the flaw is not listed in the CISA KEV catalog. The most likely attack vector is remote, where an attacker can supply malicious TOML payloads to a service that uses js‑toml. Because the DoS can be triggered with a single crafted request, an adversary with network access to a vulnerable service can easily exhaust CPU resources. The impact is limited to availability and can be mitigated by updating the library. When that is not possible, the attacker can still exploit the quadratic cost by sending large literals.

Generated by OpenCVE AI on June 19, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade js‑toml to version 1.1.1 or later.
  • Implement size limits on TOML files before parsing to prevent extremely long integer literals.
  • Monitor CPU usage of services using js‑toml and throttle or block requests when anomalous usage spikes.

Generated by OpenCVE AI on June 19, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Sunnyadn
Sunnyadn js-toml
Vendors & Products Sunnyadn
Sunnyadn js-toml

Fri, 19 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.
Title CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
Weaknesses CWE-1333
CWE-400
CWE-407
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Sunnyadn Js-toml
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-19T18:14:20.150Z

Reserved: 2026-05-28T20:07:58.862Z

Link: CVE-2026-49293

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T20:30:04Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity

  • CWE-400

    Uncontrolled Resource Consumption

  • CWE-407

    Inefficient Algorithmic Complexity