sunnyadn js-toml up to 1.1.0 TOML Parser load resource consumption

Summaryinfo

A vulnerability was found in sunnyadn js-toml up to 1.1.0 and classified as problematic. This vulnerability affects the function Load of the component TOML Parser. The manipulation results in resource consumption. This vulnerability is cataloged as CVE-2026-49293. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability classified as problematic has been found in sunnyadn js-toml up to 1.1.0. Affected is the function load of the component TOML Parser. The manipulation with an unknown input leads to a resource consumption vulnerability. CWE is classifying the issue as CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. This is going to have an impact on availability. CVE summarizes:

js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.

The advisory is available at github.com. This vulnerability is traded as CVE-2026-49293 since 05/28/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details are known, but there is no available exploit. This vulnerability is assigned to T1499 by the MITRE ATT&CK project.

Upgrading to version 1.1.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 1abcb31dc7b1fa88e4c848a8d108891cfbb96fa2 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Productinfo

Vendor

• sunnyadn

Name

• js-toml

Version

• 1.0
• 1.1.0

License

• open-source

Website

• Product: https://github.com/sunnyadn/js-toml/

CPE 2.3info

• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Discussion