Description

The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.

Remediation

References

https://github.com/indexzero/TimeSpan.js/issues/10

https://nodesecurity.io/advisories/533

Related Vulnerabilities

CVE-2023-26105 Vulnerability in npm package utilities

CVE-2018-20222 Vulnerability in maven package org.airsonic.player:airsonic-main

CVE-2015-2156 Vulnerability in maven package io.netty:netty-all

CVE-2019-16562 Vulnerability in maven package org.jenkins-ci.plugins:buildgraph-view

CVE-2019-10398 Vulnerability in maven package org.jenkins-ci.plugins:beaker-builder

Severity

High

Classification

CWE-400 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking Third Party Advisory