Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://nodesecurity.io/advisories/533

https://github.com/indexzero/TimeSpan.js/issues/10

Related Vulnerabilities

CVE-2022-27820 Vulnerability in maven package org.zaproxy:zap

CVE-2021-23362 Vulnerability in npm package hosted-git-info

CVE-2018-20676 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap

CVE-2016-10539 Vulnerability in maven package org.webjars.npm:negotiator

CVE-2020-2260 Vulnerability in maven package org.jenkins-ci.plugins:perfecto

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Third Party Advisory Issue Tracking