GitHub Advisory DatabaseGHSA-XRX9-GJ26-5WX9v8n vulnerable to Inefficient Regular Expression Complexity
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
50.0%
Impact
Inefficient regular expression complexity of lowercase() and uppercase() regex could lead to a denial of service attack. With a formed payload 'a' + 'a'.repeat(i) + 'A', only 32 characters payload could take 29443 ms time execution when testing lowercase(). The same issue happens with uppercase().
Patches
v1.5.1
References
huntr.dev report
Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking
For more information
If you have any questions or comments about this advisory:
- Open an issue in v8n issues list
- Email us at [email protected]
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| v8n_project | v8n | * | cpe:2.3:a:v8n_project:v8n:*:*:*:*:*:node.js:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
50.0%