Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2021-23384 Vulnerability in npm package koa-remove-trailing-slashes

CVE-2020-2120 Vulnerability in maven package org.jenkins-ci.plugins:fitnesse

CVE-2019-1003067 Vulnerability in maven package org.jenkins-ci.plugins:trac-publisher-plugin

CVE-2021-21348 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2019-19771 Vulnerability in npm package babel-loqder

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory