bn.js
में ठीक किया गया
5.2.3
4.12.3
CVE-2026-2739 is a vulnerability affecting the bn.js JavaScript library. It arises from a flaw in the maskn(0) function, where calling it on a BN instance corrupts the internal state. This corruption can trigger an infinite loop when using methods like toString(), divmod(), and others, effectively freezing the process. The vulnerability impacts versions of bn.js prior to 4.12.3 and 5.2.3, and a patch is available in versions 4.12.3 and 5.2.3.
CVE-2026-2739 in bn.js affects versions prior to 4.12.3 and 5.2.3. This is an internal state corruption vulnerability triggered by calling maskn(0) on any BN instance. This action causes methods like toString(), divmod(), and others to enter an infinite loop, resulting in indefinite process hang. The severity of this issue lies in its potential to cause a denial-of-service (DoS) condition in applications utilizing the bn.js library for arbitrary-precision arithmetic. The impact is particularly significant in production environments where availability and stability are critical. The vulnerability does not require authentication, making it remotely exploitable if the library is used in a vulnerable context, such as a web server or API.
Exploitation of this vulnerability requires access to an environment where a vulnerable version of bn.js is being used. An attacker could inject malicious code that calls maskn(0) in a context where the bn.js library is being utilized, for example, through a malicious HTTP request to an API that uses the library. Since the vulnerability does not require authentication, an attacker could exploit it remotely. The impact of exploitation is a denial-of-service, as the process will hang indefinitely. Detection of exploitation can be difficult, as the process hang may resemble a random failure. It is important to monitor the performance of applications that use bn.js and look for unusual hanging patterns.
एक्सप्लॉइट स्थिति
EPSS
0.02% (5% शतमक)
CISA SSVC
CVSS वेक्टर
The solution to mitigate CVE-2026-2739 is to update the bn.js library to version 4.12.3 or higher, or to version 5.2.3 or higher. These versions contain a fix that prevents the internal state corruption when calling maskn(0). It is recommended to perform this update as soon as possible to protect your applications from potential attacks. If an update is not immediately possible, consider implementing input validation to prevent maskn(0) from being called with the argument 0. However, this measure is less secure than updating to a patched version. Regularly reviewing project dependencies and applying security updates is crucial for maintaining a secure development environment.
Actualice la dependencia bn.js a la versión 5.2.3 o superior. Esto solucionará la corrupción del estado interno al llamar a maskn(0) y evitará el bucle infinito en métodos como toString() y divmod(). Ejecute `npm install bn.js@latest` o `yarn upgrade bn.js` para actualizar.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
bn.js is a JavaScript library for performing arbitrary-precision integer arithmetic.
Review your project's dependencies and check the version of bn.js you are using. If it’s prior to 4.12.3 or 5.2.3, it is vulnerable.
As a temporary measure, you can try validating input to prevent maskn(0) from being called with the argument 0, but this is not a complete solution.
Currently, there are no specific tools to detect this vulnerability, but application performance monitoring can help identify unusual hangs.
You can find more information about the vulnerability in the CVE-2026-2739 entry in vulnerability databases like the National Vulnerability Database (NVD).
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।