CVE-2017-16119

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition...

CVE-2017-16138

The mime module 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input...

CVE-2017-16137

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue...

CVE-2017-16114

The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds...

CVE-2017-16115

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds...

CVE-2017-16137

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue...

CVE-2017-16115

The timespan module (JavaScript implementation) is vulnerable to a Regular Expression Denial of Service (ReDoS) when parsing dates. A crafted 50k-character input can block the event loop for about 10 seconds, affecting affected versions of the timespan package. The documentation notes no direct p...

CVE-2017-16138

CVE-2017-16138 affects the mime Node.js module, with vulnerable versions including

CVE-2017-16116

The CVE-2017-16116 entry corresponds to the Node.js string module. The vulnerability is a regular expression denial of service (ReDoS) triggered by untrusted input passed to the underscore or unescapeHTML methods. Impact described as potential denial of service. Public remediation details in the ...

CVE-2017-16113

CVE-2017-16113 affects the parsejson module, where a regular expression denial of service (ReDoS) can be triggered by untrusted input during JSON parsing. Affected details across sources consistently describe a ReDoS risk in parsejson, with CVSS v3.0 base score 7.5 (HIGH) and impact on availabili...

CVE-2017-16099

The CVE-2017-16099 entry concerns the nodejs-no-case (no-case) module, which is vulnerable to a regular expression denial of service (ReDoS). The underlying issue arises when untrusted user input is parsed by no-case, causing the event loop to block and potentially impacting availability. Public ...

CVE-2017-16137

CVE-2017-16137 affects the Node.js debug module and can cause a regular expression denial of service (ReDoS) when untrusted input is passed to the formatter; susceptibility is reported as low severity but could enable a DoS by consuming CPU with around 50k characters. The connected documents show...

PT-2018-16161 · Protobufjs · Protobufjs

Name of the Vulnerable Software and Affected Versions: protobufjs versions prior to 5.0.3 protobufjs versions prior to 6.8.6 Description: The issue concerns a regular expression denial of service when parsing crafted invalid .proto files, potentially leading to ReDoS. Recommendations: Update to...

CVE-2017-16021

uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100%...

CVE-2017-16021

uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100%...

Code injection

uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100%...

CVE-2017-16021

uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100%...

PT-2018-6052 · Github · Uri.Js

Name of the Vulnerable Software and Affected Versions: uri-js versions 2.1.1 and earlier Description: The issue arises from a regular expression used by uri-js to validate URLs, which is vulnerable to redos. This vulnerability causes the program to hang and results in 100% CPU usage when attempti...

CVE-2016-10539

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string...

CVE-2016-10539

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service via a specially crafted string...