Описание
Regular expression Denial of Service in @progfay/scrapbox-parser
Impact
A Regular expression Denial of Service flaw was found in the @progfay/scrapbox-parser package before 6.0.3, 7.0.2 for Node.js. The attacker that is able to be parsed a specially crafted text may cause the application to consume an excessive amount of CPU.
Patches
Upgrade to version 6.0.3, 7.0.2 or later.
Workarounds
Avoid to parse text with a lot of [ chars.
References
- https://github.com/progfay/scrapbox-parser/pull/519
- https://github.com/progfay/scrapbox-parser/pull/539
- https://github.com/progfay/scrapbox-parser/pull/540
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-27405
- https://snyk.io/vuln/SNYK-JS-PROGFAYSCRAPBOXPARSER-1076803
For more information
If you have any questions or comments about this advisory:
- Open an issue in github.com/progfay/scrapbox-parser
Ссылки
- https://github.com/progfay/scrapbox-parser/security/advisories/GHSA-9fhw-r42p-5c7r
- https://nvd.nist.gov/vuln/detail/CVE-2021-27405
- https://github.com/progfay/scrapbox-parser/pull/519
- https://github.com/progfay/scrapbox-parser/pull/539
- https://github.com/progfay/scrapbox-parser/pull/540
- https://security.netapp.com/advisory/ntap-20210326-0002
Пакеты
Наименование
@progfay/scrapbox-parser
npm
Затронутые версииВерсия исправления
< 6.0.3
6.0.3
Наименование
@progfay/scrapbox-parser
npm
Затронутые версииВерсия исправления
>= 7.0.0, < 7.0.2
7.0.2
Связанные уязвимости
CVSS3: 7.5
nvd
почти 5 лет назад
A ReDoS (regular expression denial of service) flaw was found in the @progfay/scrapbox-parser package before 6.0.3 for Node.js.