GHSA-v2p6-4mp7-3r9v

Опубликовано: 14 июн. 2019

Источник: github

Github: Прошло ревью

Описание

Regular Expression Denial of Service in underscore.string

Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.

Recommendation

Upgrade to version 3.3.5 or higher.

Ссылки

https://github.com/epeli/underscore.string/issues/510
https://github.com/epeli/underscore.string/pull/517
https://github.com/epeli/underscore.string/commit/f486cd684c94c12db48b45d52b1472a1b9661029
https://www.npmjs.com/advisories/745

Пакеты

Наименование

underscore.string

npm

Затронутые версииВерсия исправления

< 3.3.5

3.3.5

Дефекты

CWE-400

Дефекты

CWE-400