Skip to main content

Js Toml

2 CVEs product

Monthly

CVE-2026-49293 npm HIGH POC PATCH GHSA This Week

Denial of service in js-toml versions up to and including 1.1.0 allows remote attackers to exhaust CPU resources by submitting a single TOML document containing an oversized hexadecimal, octal, or binary integer literal. The hand-written parseBigInt loop exhibits O(n²) complexity, and a ~500 kB literal pins one CPU core for ~40 seconds; no public exploit identified at time of analysis, but the patched commit and test suite serve as a clear blueprint. Applies to any service invoking load() on attacker-controlled TOML, such as configuration upload endpoints, CI/CD pipelines, IDE plugins, and build tools.

Apple Denial Of Service Js Toml
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-54803 npm HIGH POC PATCH This Month

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Js Toml
NVD GitHub
CVSS 4.0
7.9
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in js-toml versions up to and including 1.1.0 allows remote attackers to exhaust CPU resources by submitting a single TOML document containing an oversized hexadecimal, octal, or binary integer literal. The hand-written parseBigInt loop exhibits O(n²) complexity, and a ~500 kB literal pins one CPU core for ~40 seconds; no public exploit identified at time of analysis, but the patched commit and test suite serve as a clear blueprint. Applies to any service invoking load() on attacker-controlled TOML, such as configuration upload endpoints, CI/CD pipelines, IDE plugins, and build tools.

Apple Denial Of Service Js Toml
NVD GitHub
EPSS 0% CVSS 7.9
HIGH POC PATCH This Month

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Rated high severity (CVSS 7.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Prototype Pollution Information Disclosure Js Toml
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy