big-rat suffers a DoS issue with NaN argument

[zyscoder]

Version

node v22.11.0
npm 10.9.0

Platform

Linux u24vm 6.8.0-48-generic #48-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 14:04:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

What steps will reproduce the bug?

2. Try to install the package: big-rat

a. npm init -y
b. npm shrinkwrap
c. npm install --save big-rat
d. npm audit fix

the final package.json is as follows:

{
  "name": "package-7a18f42fc351679bd22de3b2940e74e5",
  "version": "1.0.0",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "description": "",
  "dependencies": {
    "big-rat": "^1.0.4"
  }
}

2. Setup a node instance,

node

3. and run the following javascript code.

(async function() {
    var lib = await import('big-rat');
    var result = lib.default(NaN, 1);;
})();

Then the node instance will hang and no response returned.

How often does it reproduce? Is there a required condition?

This issue can always be triggered following the steps above.

What is the expected behavior? Why is that the expected behavior?

No matter return a NaN or throw an exception, or take any other response. At least avoiding a DoS result.

What do you see instead?

» node
Welcome to Node.js v22.11.0.
Type ".help" for more information.

(async function() {
... var lib = await import('big-rat');
... var result = lib.default(NaN, 1);;
... })();
Promise {
,
[Symbol(async_id_symbol)]: 28,
[Symbol(trigger_async_id_symbol)]: 6
}
(the node server hanged here.)