Lucene search
GoogleOSV:GHSA-F523-2F5J-GFCGHistoryAug 29, 2018 - 11:04 p.m.
Regular Expression Denial of Service in timespan
2018-08-2923:04:14
Google
osv.dev
16
EPSS
0.001
Percentile
43.0%
Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.
The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.
Recommendation
No direct patch is available for this vulnerability.
Currently, the best available solution is to use a functionally equivalent alternative package.
It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.
Related
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2017-09-26 02:37:36
prion
prion
Design/Logic Flaw
2018-06-07 02:29:00
cvelist
cvelist
CVE-2017-16115
2018-06-07 02:00:00
nvd
nvd
CVE-2017-16115
2018-06-07 02:29:02
nodejs
nodejs
Regular Expression Denial of Service
2017-09-21 20:44:30
github
github
Regular Expression Denial of Service in timespan
2018-08-29 23:04:14
cve
cve
CVE-2017-16115
2018-06-07 02:29:02