Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2019-12041 Vulnerability in maven package org.webjars:remarkable

CVE-2021-23411 Vulnerability in npm package anchorme

CVE-2018-1002204 Vulnerability in maven package org.webjars.npm:adm-zip

CVE-2020-8192 Vulnerability in npm package fastify

CVE-2016-6347 Vulnerability in maven package org.jboss.resteasy:resteasy-jaxrs

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory