CVE-2026-49293: CWE-400: Uncontrolled Resource Consumption in sunnyadn js-toml
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.
AI Analysis
Technical Summary
The js-toml JavaScript TOML parser (up to version 1.1.0) uses a hand-written parseBigInt loop to parse integer literals in hexadecimal, octal, and binary formats. This loop multiplies a BigInt accumulator by the radix for each digit, resulting in quadratic time complexity (O(n²)) relative to the number of digits. Because the lexer regex does not limit literal length, an attacker can supply a very large literal (e.g., ~500 kB hex literal) that causes excessive CPU usage, effectively exhausting CPU resources and causing a denial of service. The vulnerability is fixed in version 1.1.1.
Potential Impact
An attacker can cause a denial of service by submitting a TOML document with a very large integer literal, which triggers excessive CPU consumption due to quadratic parsing complexity. This can pin a CPU core for tens of seconds on modern hardware, degrading availability of services that parse attacker-controlled TOML inputs (such as configuration upload endpoints, CI/CD systems, IDE plugins, or build tools). There is no impact on confidentiality or integrity.
Mitigation Recommendations
Upgrade to js-toml version 1.1.1 or later, where this CPU exhaustion vulnerability is fixed. Until upgraded, avoid parsing untrusted or attacker-controlled TOML documents that may contain large integer literals. Patch status is not explicitly stated but the fix is available in version 1.1.1 as per the description.
CVE-2026-49293: CWE-400: Uncontrolled Resource Consumption in sunnyadn js-toml
Description
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.
CVSS v3.1
Score 7.5high
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The js-toml JavaScript TOML parser (up to version 1.1.0) uses a hand-written parseBigInt loop to parse integer literals in hexadecimal, octal, and binary formats. This loop multiplies a BigInt accumulator by the radix for each digit, resulting in quadratic time complexity (O(n²)) relative to the number of digits. Because the lexer regex does not limit literal length, an attacker can supply a very large literal (e.g., ~500 kB hex literal) that causes excessive CPU usage, effectively exhausting CPU resources and causing a denial of service. The vulnerability is fixed in version 1.1.1.
Potential Impact
An attacker can cause a denial of service by submitting a TOML document with a very large integer literal, which triggers excessive CPU consumption due to quadratic parsing complexity. This can pin a CPU core for tens of seconds on modern hardware, degrading availability of services that parse attacker-controlled TOML inputs (such as configuration upload endpoints, CI/CD systems, IDE plugins, or build tools). There is no impact on confidentiality or integrity.
Mitigation Recommendations
Upgrade to js-toml version 1.1.1 or later, where this CPU exhaustion vulnerability is fixed. Until upgraded, avoid parsing untrusted or attacker-controlled TOML documents that may contain large integer literals. Patch status is not explicitly stated but the fix is available in version 1.1.1 as per the description.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-28T20:07:58.862Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a358c5cf198dc38c1f2fbb5
Added to database: 6/19/2026, 6:37:16 PM
Last enriched: 6/19/2026, 6:51:01 PM
Last updated: 6/19/2026, 11:02:29 PM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.