parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

Summary This report finds 2 availability issues due to the regex used in the parse-duration npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB...

GHSA-HCRG-FC28-FCG5 parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

Summary This report finds 2 availability issues due to the regex used in the parse-duration npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB...

CVE-2025-25283

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

CLSA-2025-1739386692 libvirt: Fix of 2 CVEs

CVE-2024-2496: fix memory corruption listing interfaces - CVE-2024-4418: fix stack use-after-free in event loop...

CVE-2025-25283 parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

CVE-2025-25283 parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

Regular Expression Denial of Service (ReDoS)

Overview parse-duration is a package that converts a human readable duration to ms. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. An attacker could cause an event loop delay or trigger an out of memory error that would crash a running Node.js...

parse-duration 安全漏洞

parse-duration is an application that converts readable durations to milliseconds by the individual developer Jake Rosoman. A security vulnerability exists in parse-duration prior to version 2.1.3, which stems from a CPU-intensive operation when parsing strings, and may result in a delayed event...

PT-2025-7066 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: parse-duraton versions prior to 2.1.3 Description: The issue is related to an event loop delay due to the CPU-bound operation of resolving the provided string, which can range from 0.5ms to 50ms per operation, depending on the size of the inp...

Malicious code in media_kit_native_event_loop (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 08d4f7b68836068f9cc96c2c5db66c0ad1cbc255e21f525e5069885d7aff5e5f Any computer that has this package installed or running should be considered...

Amazon Linux 2 : python3-tornado (ALAS-2025-2725)

The version of python3-tornado installed on the remote host is prior to 5.0.2-4. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2725 advisory. Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Torna...

path-to-regexp: Backtracking regular expressions cause ReDoS

A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, po...

CVE-2024-53981 python-multipart has a Denial of service (DoS) via deformation `multipart/form-data` boundary

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks CR \r or LF \n in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause...

CVE-2024-53981

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks CR \r or LF \n in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause...

CVE-2024-53981 python-multipart has a Denial of service (DoS) via deformation `multipart/form-data` boundary

python-multipart is a streaming multipart parser for Python. When parsing form data, python-multipart skips line breaks CR \r or LF \n in front of the first boundary and any tailing bytes after the last boundary. This happens one byte at a time and emits a log event each time, which may cause...

SUSE CVE-2024-52804

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in th...

Tornado has an HTTP cookie parsing DoS vulnerability

The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See...

GHSA-8W49-H785-MJ3C Tornado has an HTTP cookie parsing DoS vulnerability

The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in the event loop thread and may block the processing of other requests. See...

DEBIAN-CVE-2024-52804

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in th...

AZL-53624 CVE-2024-52804 affecting package python-tornado 6.2.0-1

Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This parsing occurs in th...