CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
81.8%
Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty
option when parsing.
This has been patched in v4.3.6
You will only be affected by this if you use the ignoreEmpty
parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6
This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP
regular expression as vulnerable.
Link to query run.
If you have any questions or comments about this advisory:
Vendor | Product | Version | CPE |
---|---|---|---|
fast-csv | parse | * | cpe:2.3:a:fast-csv:parse:*:*:*:*:*:*:*:* |
fast-cpp-csv-parser_project | fast-cpp-csv-parser | * | cpe:2.3:a:fast-cpp-csv-parser_project:fast-cpp-csv-parser:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-8cv5-p934-3hwp
github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
github.com/C2FO/fast-csv/issues/540
github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
lgtm.com/query/8609731774537641779/
nvd.nist.gov/vuln/detail/CVE-2020-26256
www.npmjs.com/advisories/1587
www.npmjs.com/advisories/1588
www.npmjs.com/package/@fast-csv/parse
www.npmjs.com/package/fast-csv
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
81.8%