Description
Versions of apostrophe prior to 2.97.1 are vulnerable to Denial of Service. The apostrophe-jobs module sets a callback for incoming jobs and doesn’t clear it regardless of its status. This causes the server to accumulate callbacks, allowing an attacker to start a large number of jobs and exhaust system memory.
Recommendation
Update the apostrophe package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.97.1
- Patched version(s): 2.97.1
References
Related Issues
- Denial of Service in ws - Vulnerability
- Regular Expression Denial of Service in markdown - Vulnerability
- Regular Expression Denial of Service in millisecond - Vulnerability
- Regular Expression Denial of Service (ReDoS) - Vulnerability
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on January 09, 2023