Описание
Regular Expression Denial of Service in is-my-json-valid
Version of is-my-json-valid before 2.12.4 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.
Recommendation
Update to version 2.12.4 or later.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-2537
- https://github.com/github/advisory-database/pull/4850
- https://github.com/mafintosh/is-my-json-valid/pull/159
- https://github.com/mafintosh/is-my-json-valid/commit/b3051b277f7caa08cd2edc6f74f50aeda65d2976
- https://github.com/mafintosh/is-my-json-valid/commit/eca4beb21e61877d76fdf6bea771f72f39544d9b
- https://hackerone.com/reports/317548
- https://github.com/advisories/GHSA-f522-ffg8-j8r6
- https://www.npmjs.com/advisories/572
- https://www.npmjs.com/advisories/76
Пакеты
Наименование
is-my-json-valid
npm
Затронутые версииВерсия исправления
< 2.12.4
2.12.4
Связанные уязвимости
CVSS3: 7.5
nvd
почти 10 лет назад
The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.