CVE-2018-3737

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys...

Default credentials

charset 1.0.0 and below are vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTPMAXHEADERSIZE= option the default header max length is 80kb, so the impact of the ReDoS is...

Code injection

protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files...

Design/Logic Flaw

ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS Regular Expression Denial of Service attack when given a specially crafted UserAgent header...

Code injection

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys...

CVE-2018-3737

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys...

CVE-2017-16086

ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS Regular Expression Denial of Service attack when given a specially crafted UserAgent header...

CVE-2018-3737

sshpk is vulnerable to ReDoS when parsing crafted invalid public keys...

CVE-2018-3738

protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto files...

CVE-2018-3738

protobufjs is affected by a Denial of Service via a regular expression denial of service when parsing crafted invalid .proto files. Affected versions are prior to 5.0.3 and prior to 6.8.6. Remediation: upgrade to protobufjs 5.0.3 or later, or 6.8.6 or later. The issue arises from ReDoS during par...

CVE-2018-3737

CVE-2018-3737 is a ReDoS vulnerability in the sshpk module when parsing crafted invalid public keys. Connected docs identify this issue as nodejs-sshpk (SSH public-key parsing) referenced in MiracleLinux AXSA-2020-200:01, noting the vulnerability in lib/formats/ssh.js. The Initial Description alr...

CVE-2017-16086

CVE-2017-16086 affects the ua-parser-js module (ua-parser) and can be triggered by a specially crafted User-Agent header, causing a Regular Expression Denial of Service (ReDoS). The vulnerability is documented with a CVSS v3.0 base score of 7.5 (HIGH) and visible in NVD; a prior v2.0 score is 5.0...

CVE-2017-16021

The CVE-2017-16021 issue affects uri-js up to v2.1.1 where a RegExp-based URL validation can cause a Denial of Service (high CPU usage) when processing user input via parse(). Fedora/Nessus/OpenVAS entries reference CVE-2017-16021 and indicate to update to a newer nodejs-uri-js release to fix the...

AZL-44502 CVE-2016-10540 affecting package js-jquery 3.5.0-4

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatchpath, pattern in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter...

DEBIAN-CVE-2016-10539

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string...

CVE-2016-10540

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatchpath, pattern in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter...

CVE-2016-10540

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatchpath, pattern in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter...

CVE-2016-10540

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatchpath, pattern in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter...

Code injection

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatchpath, pattern in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter...

CVE-2016-10520

jadedown is vulnerable to regular expression denial of service ReDoS when certain types of user input is passed in...