Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2021-3647 Vulnerability in npm package urijs

CVE-2022-3916 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2022-2564 Vulnerability in npm package mongoose

CVE-2018-1000830 Vulnerability in maven package com.github.goxr3plus:xr3player

CVE-2022-24437 Vulnerability in npm package git-pull-or-clone

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory