3id-connect (>=1.0.0-alpha.3 <=1.0.0-alpha.4), 3id-test-helper (>=1.0.0 <=1.0.4) +1769 more potentially affected by CVE-2025-25283 via parse-duration (>=0.1.1 <=1.1.2)

parse-duration NPM version =0.1.1, =1.0.0-alpha.3, =1.0.0, =0.2.0, =0.1.0, =0.0.1, =1.0.21, =1.0.0, =0.0.1, =0.0.1, =1.0.0-beta.0, =0.1.0, =1.0.0, =0.0.1, =1.0.3, =0.0.8, =1.1.14 and more Source cves: CVE-2025-25283 Source advisory: OSV:GHSA-HCRG-FC28-FCG5...

parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

Summary This report finds 2 availability issues due to the regex used in the parse-duration npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB...

CVE-2025-25283 parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

CVE-2025-25283 parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

CVE-2025-25283

CVE-2025-25283 concerns parse-duration (node package). Versions prior to 2.1.3 are vulnerable to event-loop delay due to CPU-bound duration resolution and may cause an out-of-memory crash with large Unicode-containing inputs. A patch is available in 2.1.3; remediation is to upgrade to that versio...

Regular Expression Denial of Service (ReDoS)

Overview parse-duration is a package that converts a human readable duration to ms. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS. An attacker could cause an event loop delay or trigger an out of memory error that would crash a running Node.js...

parse-duration 安全漏洞

parse-duration is an application that converts readable durations to milliseconds by the individual developer Jake Rosoman. A security vulnerability exists in parse-duration prior to version 2.1.3, which stems from a CPU-intensive operation when parsing strings, and may result in a delayed event...

PT-2025-7066 · Node.Js +1 · Node.Js +1

Name of the Vulnerable Software and Affected Versions: parse-duraton versions prior to 2.1.3 Description: The issue is related to an event loop delay due to the CPU-bound operation of resolving the provided string, which can range from 0.5ms to 50ms per operation, depending on the size of the inp...

af-core (>=0.1.0 <=0.1.8), af-lib (=0.1.1) +51 more potentially affected by CVE-2021-1000007 +1 more via parse_duration (>=1.0.3 <=2.1.1)

parseduration CARGO version =1.0.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.6.2, =0.6.2, =0.6.2, =0.1.0, =0.1.0, =0.3.12, =0.1.0, =0.1.0, =0.3.0 and more Source cves: CVE-2021-1000007, CVE-2021-29932 Source advisory: OSV:GHSA-QPGV-G792-WH6X...

CVE-2021-29932

An issue was discovered in the parseduration crate through 2021-03-18 for Rust. It allows attackers to cause a denial of service CPU and memory consumption via a duration string with a large exponent...

af-core (>=0.1.0 <=0.1.8), af-lib (=0.1.1) +51 more potentially affected by CVE-2021-1000007 +1 more via parse_duration (>=1.0.3 <=2.1.1)

parseduration CARGO version =1.0.3, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.6.2, =0.6.2, =0.6.2, =0.1.0, =0.1.0, =0.3.12, =0.1.0, =0.1.0, =0.3.0 and more Source cves: CVE-2021-1000007, CVE-2021-29932 Source advisory: OSV:RUSTSEC-2021-0041...