CVE-2026-49293
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
A vulnerability in the js-toml TOML parser for JavaScript (versions up to and including 1.1.0) causes quadratic time complexity (O(n²)) when parsing long hexadecimal, octal, or binary integer literals. An attacker can craft a TOML document containing a single ~500 kB hex literal, which on a modern laptop (Apple M-series, Node v22) pins one CPU core for approximately 40 seconds, leading to CPU exhaustion DoS.
Risk Assessment
Organizations using js-toml to process TOML data from external sources (e.g., configuration upload endpoints, CI/CD systems, IDE plugins) are exposed to a single-request DoS attack that can significantly load the server and disrupt services.
Recommendation
Immediately update the js-toml library to version 1.1.1 or later, which fixes the vulnerability. If an update is not possible, limit the size of incoming TOML documents and apply a timeout for parsing operations.
Original NVD description (English source)
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(n²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.

