Regular Expression Denial of Service

2017-09-2519:20:56

Cristian-Alexandru Staicu

www.npmjs.com

0.001 Low

EPSS

Percentile

43.2%

Overview

Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.

The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,

About 50k characters can block the event loop for 2 seconds.

Update to version 0.9.2 or later.

CPENameOperatorVersion
slugle0.9.1

CPE	Name	Operator	Version
	slug	le	0.9.1

0.001 Low

EPSS

Percentile

43.2%

Related for NODEJS:537