Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2018-1000665 Vulnerability in maven package org.webjars:dojo

CVE-2019-10157 Vulnerability in npm package keycloak-connect

CVE-2018-11695 Vulnerability in npm package node-sass

CVE-2018-1308 Vulnerability in maven package org.apache.solr:solr-dataimporthandler

CVE-2023-46589 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory