Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2023-3691 Vulnerability in maven package org.webjars.bowergithub.layui:layui

CVE-2020-28422 Vulnerability in npm package git-archive

CVE-2022-25872 Vulnerability in npm package fast-string-search

CVE-2022-29631 Vulnerability in maven package org.jodd:jodd-http

CVE-2019-15599 Vulnerability in npm package tree-kill

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory