Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2021-29451 Vulnerability in maven package com.manydesigns:portofino-core

CVE-2022-0144 Vulnerability in npm package shelljs

CVE-2020-8141 Vulnerability in maven package org.webjars.bowergithub.olado:dot

CVE-2022-37260 Vulnerability in npm package steal

CVE-2022-46366 Vulnerability in maven package tapestry:tapestry

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory