CVE-2024-39249 – Regular Expression Denial of Service (ReDoS)

Severity: None2025-12-19

Security Advisories

Abstract

Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.

The Oxygen products incorporate the Async JavaScript library as a third‑party library. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.

Affected Products/Versions

ProductSeverityFixed Release Availability
Oxygen Content Fusion v7.0 and olderHigh N/A

Mitigation

None

Detail

CVE-2024-39249

Severity: High

CVSS Score: 7.5

CVE-2024-39249 describes a potential Regular Expression Denial of Service (ReDoS) issue in Async versions <= 2.6.4 and <= 3.2.5 related to the autoinject function. The upstream supplier disputes exploitability, noting the affected regular expressions are not used with untrusted input in realistic scenarios.

Internal review concluded this is a false positive for our use case. The vulnerable autoinject code path is not invoked by our workloads, and no untrusted input reaches Async in our implementation.

List of Security Advisories

Video Tutorials
Upcoming Events
webinar
Vibe Authoring with Oxygen AI Positron 8.0
January 21, 2026

Products

Features

Shop

Resources

Support

Company

© 2002-2025 SyncRO Soft SRL. All rights reserved.

This website was created & generated with <oXygen/>®XML Editor