Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty
option when parsing.
This has been patched in v4.3.6
You will only be affected by this if you use the ignoreEmpty
parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6
This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP
regular expression as vulnerable.
Link to query run.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
@fast-csv/parse | lt | 4.3.6 | |
fast-csv | lt | 4.3.6 |
github.com/C2FO/fast-csv
github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
github.com/C2FO/fast-csv/issues/540
github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
lgtm.com/query/8609731774537641779
nvd.nist.gov/vuln/detail/CVE-2020-26256
www.npmjs.com/advisories/1587
www.npmjs.com/advisories/1588
www.npmjs.com/package/@fast-csv/parse
www.npmjs.com/package/fast-csv