CVE-2024-39249 – Regular Expression Denial of Service (ReDoS)
Severity: None2025-12-19
Abstract
Async <= 2.6.4 and <= 3.2.5 are vulnerable to ReDoS (Regular Expression Denial of Service) while parsing function in autoinject function. NOTE: this is disputed by the supplier because there is no realistic threat model: regular expressions are not used with untrusted input.
The Oxygen products incorporate the Async JavaScript library as a third‑party library. This advisory was opened to address the potential impact of this third‑party library’s vulnerability.
Affected Products/Versions
| Product | Severity | Fixed Release Availability |
| Oxygen Content Fusion v8.0 and older | None | N/A |
| Oxygen XML Editor v27.1 and older | None | Oxygen XML Editor 27.1 build 2025063013 |
| Oxygen XML Author v27.1 and older | None | Oxygen XML Author 27.1 build 2025063013 |
| Oxygen XML Developer v27.1 and older | None | Oxygen XML Developer 27.1 build 2025063013 |
| Oxygen Publishing Engine v27.1 and older | None | Oxygen Publishing Engine 27.1 build 2025063009 |
| Oxygen XML WebHelp v27.1 and older | None | Oxygen XML WebHelp 27.1 build 2025063008 |
Detail
CVE-2024-39249
Severity: High
CVSS Score: 7.5
CVE-2024-39249 describes a potential Regular Expression Denial of Service (ReDoS) issue in Async versions <= 2.6.4 and <= 3.2.5 related to the autoinject function. The upstream supplier disputes exploitability, noting the affected regular expressions are not used with untrusted input in realistic scenarios.
Internal review concluded this is a false positive for our use case. The vulnerable autoinject code path is not invoked by our workloads, and no untrusted input reaches Async in our implementation.
