CVE-2026-49293
Received Received - Intake
js-toml TOML Parser Integer Parsing CPU Exhaustion DoS

Publication date: 2026-06-19

Last updated on: 2026-06-19

Assigner: GitHub, Inc.

Description
js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. Versions up to and including 1.1.0 parse hexadecimal / octal / binary integer literals via a hand-written `parseBigInt` loop that multiplies a `BigInt` accumulator by the radix once per input digit. Each iteration performs a `BigInt * BigInt` operation on an accumulator that grows linearly with the number of digits already consumed, so the whole loop is O(nΒ²) in the literal length. The lexer regex places no upper bound on the literal length, so a single TOML document containing one ~500 kB hex literal pins one CPU core for ~40 seconds on a modern laptop (Apple M-series, Node v22). Memory amplification is bounded but CPU amplification is severe and grows quadratically: doubling the literal length quadruples the work. A caller that invokes `load()` on attacker-controlled TOML (configuration upload endpoints, CI/CD systems ingesting third-party `*.toml`, IDE plugins, build tools) is exposed to a single-request CPU exhaustion DoS. Version 1.1.1 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-19
Last Modified
2026-06-19
Generated
2026-06-21
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-49293
EUVD
EUVD-2026-38060
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sunnyadn js-toml to 1.1.0 (inc)
sunnyadn js-toml From 0.0.0 (inc) to 1.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-49293 is a vulnerability in the js-toml JavaScript library, which parses TOML files. Versions up to 1.1.0 use a custom parseBigInt loop to parse hexadecimal, octal, and binary integer literals. This loop performs BigInt multiplications for each digit, resulting in quadratic time complexity (O(nΒ²)) relative to the length of the literal.

Because there is no upper bound on the length of these literals, an attacker can supply a very large literal (around 500 kB), causing the CPU to be heavily consumed for tens of seconds, effectively blocking the Node.js event loop and causing a denial-of-service (DoS) condition.

The vulnerability is fixed in version 1.1.1 by switching to the native V8 BigInt constructor, which operates in linear time (O(n)), and by limiting the length of radix-prefixed literals to 1000 digits.

Impact Analysis

This vulnerability can lead to a denial-of-service (DoS) attack by exhausting CPU resources. When an attacker provides a specially crafted TOML file containing a very large radix-prefixed integer literal, the parsing process consumes excessive CPU time, blocking the event loop for tens of seconds.

This can disrupt services that use js-toml to load TOML configurations, such as configuration upload endpoints, CI/CD systems processing third-party TOML files, IDE plugins, or build tools.

The impact is a high-severity availability issue (CVSS score 7.5), causing service unavailability or degraded performance due to uncontrolled CPU consumption.

Detection Guidance

This vulnerability manifests as CPU exhaustion when parsing large radix-prefixed integer literals (hexadecimal, octal, or binary) in TOML files using the js-toml library versions up to 1.1.0.

Detection can involve monitoring for unusually high CPU usage or event loop blocking in Node.js applications that parse TOML files, especially when processing attacker-controlled input.

Since the issue is triggered by very large (~500 kB) radix literals, you can scan TOML files for excessively long hexadecimal, octal, or binary literals.

  • Use grep or similar tools to search for large radix-prefixed literals in TOML files, for example: grep -E '0x[0-9a-fA-F]{1000,}|0o[0-7]{1000,}|0b[01]{1000,}' *.toml
  • Monitor Node.js process CPU usage with commands like: top or htop to detect CPU spikes during TOML parsing.
  • Use Node.js profiling tools or logs to detect event loop blocking or long parsing times when calling the load() function on TOML input.
Mitigation Strategies

The primary mitigation is to upgrade the js-toml library to version 1.1.1 or later, which fixes the vulnerability by replacing the inefficient parseBigInt loop with V8's native BigInt constructor and limits radix-prefixed literals to 1000 digits.

If upgrading immediately is not possible, consider implementing input validation to reject TOML files containing excessively long radix-prefixed integer literals before parsing.

Additionally, monitor and limit resource usage on services that parse TOML files from untrusted sources to reduce the impact of potential attacks.

Compliance Impact

The provided context and resources do not contain information about how CVE-2026-49293 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49293. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart