Add advisory: asn1 BerReader infinite loop CPU DoS (CWE-835)

[tynus3]

New vulnerability in npm package asn1 v0.2.6 (latest).

• CWE-835 (Loop with Unreachable Exit Condition)
• CVSS 7.5 High: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• Package is unmaintained (last release Nov 2021, last commit Mar 2022)
• 26.9M weekly downloads
• Public issue: BerReader.readString() infinite loop on malformed length — CPU DoS (CWE-835) TritonDataCenter/node-asn1#57

Downstream confirmed affected: sshpk (21.9M/week), ldapjs (322k/week, decommissioned),
@ldapjs/asn1 (204k/week, decommissioned). Separate advisories for those to follow.

No CVE assigned yet — requesting GHSA ID assignment.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[tynus3]

This is a new issue without an existing GHSA ID. The CI failure ("unable to match file to existing advisory") is expected — I understand the normal contribution process requires an existing GHSA entry. Could a GitHub staff member create a draft GHSA for npm/asn1 so I can update it, or advise on the correct intake process for new untracked vulnerabilities? The package is unmaintained (last release Nov 2021) so there is no maintainer to file a private advisory with.