GHSA-f523-2f5j-gfcg

Опубликовано: 29 авг. 2018

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Regular Expression Denial of Service in timespan

Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.

The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.

Recommendation

No direct patch is available for this vulnerability.

Currently, the best available solution is to use a functionally equivalent alternative package.

It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.

Ссылки

Пакеты

Наименование

timespan

npm

Затронутые версииВерсия исправления

<= 2.3.0

Отсутствует

EPSS

Процентиль: 51%

0.0028

Низкий

7.5 High

CVSS3

CVE ID

CVE-2017-16115

Дефекты

CWE-400

Связанные уязвимости

CVE-2017-16115

CVSS3: 7.5

nvd

больше 7 лет назад

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

EPSS

Процентиль: 51%

0.0028

Низкий

7.5 High

CVSS3

CVE ID

CVE-2017-16115

Дефекты

CWE-400