js-toml 1.1.0 and below: Quadratic-time DoS via parseBigInt

js-toml versions up to and including 1.1.0 have a quadratic-time vulnerability in the parseBigInt function used for hexadecimal, octal, and binary integer literals. The hand-written loop performs O(n²) BigInt multiplications, and there is no length limit on literals, allowing a single ~500 kB hex literal to pin a CPU core for ~40 seconds.

Any application that calls load() on attacker-controlled or third-party TOML input, such as configuration upload endpoints, CI/CD systems, IDE plugins, or multi-tenant SaaS.

Update js-toml to a patched version (>= 1.2.0) or apply the suggested fix: replace parseBigInt with BigInt(intString) and add a maxLiteralLength guard (e.g., 1000 digits).