GoogleOSV:GHSA-8CV5-P934-3HWPDenial of service in fast-csv
0.008 Low
EPSS
Percentile
81.8%
Impact
Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.
Patches
This has been patched in v4.3.6
Workarounds
You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6
References
This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Link to query run.
For more information
If you have any questions or comments about this advisory:
- Open an issue in fast-csv
| CPE | Name | Operator | Version |
|---|---|---|---|
| @fast-csv/parse | lt | 4.3.6 | |
| fast-csv | lt | 4.3.6 |
References
github.com/C2FO/fast-csv
github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
github.com/C2FO/fast-csv/issues/540
github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
lgtm.com/query/8609731774537641779
nvd.nist.gov/vuln/detail/CVE-2020-26256
www.npmjs.com/advisories/1587
www.npmjs.com/advisories/1588
www.npmjs.com/package/@fast-csv/parse
www.npmjs.com/package/fast-csv
Related
