Skip to content

[GHSA-378v-28hj-76wf] bn.js affected by an infinite loop #6999

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
richardsimko wants to merge 1 commit into from
Closed

[GHSA-378v-28hj-76wf] bn.js affected by an infinite loop #6999

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 8 additions & 9 deletions advisories/github-reviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,17 @@
{
"schema_version": "1.4.0",
"id": "GHSA-378v-28hj-76wf",
"modified": "2026-02-20T21:18:31Z",
"modified": "2026-02-20T21:18:32Z",
"published": "2026-02-20T06:30:39Z",
"aliases": [
"CVE-2026-2739"
],
"summary": "bn.js affected by an infinite loop",
"details": "This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
{
"type": "CVSS_V4",
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CVSS v4 score has all impact metrics set to 'N' (None), including VA:N (Vulnerability Availability). This is inconsistent with the vulnerability description which states methods 'enter an infinite loop, hanging the process indefinitely', which should result in availability impact. The original score had VA:L which appears more accurate for a DoS vulnerability.

Suggested change
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N"
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"

Copilot uses AI. Check for mistakes.
}
],
"affected": [
Expand All @@ -32,11 +28,14 @@
"introduced": "0"
},
{
"fixed": "5.2.3"
"fixed": "5.2.3,4.12.3"
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'fixed' field appears to contain multiple version numbers in a comma-separated string format. This is inconsistent with typical JSON schema patterns for version ranges, which usually use an array structure. If this field is meant to represent multiple fixed versions, it should be an array like ['5.2.3', '4.12.3']. Verify the expected schema format for this field.

Suggested change
"fixed": "5.2.3,4.12.3"
"fixed": ["5.2.3", "4.12.3"]

Copilot uses AI. Check for mistakes.
}
]
}
]
],
"database_specific": {
"last_known_affected_version_range": "< 5.2.3"
}
}
],
"references": [
Expand Down Expand Up @@ -81,7 +80,7 @@
"cwe_ids": [
"CWE-835"
],
"severity": "MODERATE",
"severity": "LOW",
"github_reviewed": true,
"github_reviewed_at": "2026-02-20T21:18:31Z",
"nvd_published_at": "2026-02-20T05:17:53Z"
Expand Down
Loading