GHSA-V3RJ-XJV7-4JMQ

Vulnerability from github – Published: 2026-03-25 21:03 – Updated: 2026-03-25 21:03
VLAI?
Summary
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines
Details

Summary

An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.

The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.

Proof of concept

require("smol-toml").parse('# comment\n'.repeat(8000) + 'key = "value"')

Impact

Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.

Due to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.

As a reminder, it is strongly advised when working with untrusted user input to expect errors to occur and to appropriately catch them.

Patches

Version 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.

Workarounds

Wrap all invocations of parse and stringify in a try/catch block when dealing with untrusted user input.

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "smol-toml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-674"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-25T21:03:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nAn attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.\n\nThe library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.\n\n### Proof of concept\n```js\nrequire(\"smol-toml\").parse(\u0027# comment\\n\u0027.repeat(8000) + \u0027key = \"value\"\u0027)\n```\n\n### Impact\nApplications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid input. Downstream users are supposed to properly handle errors in such situations.\n\nDue to the design of most JavaScript runtimes, the uncontrolled recursion does not lead to excessive memory usage and the execution is quickly aborted.\n\nAs a reminder, it is **strongly** advised when working with untrusted user input to expect errors to occur and to appropriately catch them.\n\n### Patches\nVersion 1.6.1 uses a different approach for parsing comments, which no longer involves recursion.\n\n### Workarounds\nWrap all invocations of `parse` and `stringify` in a try/catch block when dealing with untrusted user input.",
  "id": "GHSA-v3rj-xjv7-4jmq",
  "modified": "2026-03-25T21:03:56Z",
  "published": "2026-03-25T21:03:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/squirrelchat/smol-toml/security/advisories/GHSA-v3rj-xjv7-4jmq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/squirrelchat/smol-toml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/squirrelchat/smol-toml/releases/tag/v1.6.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.