ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
- Severity:
- Low
Description
The ReDoS can be exploited through the parseHTML function in the html-parser.ts file. This flaw allows attackers to slow down the application by providing specially crafted input that causes inefficient processing of regular expressions, leading to excessive resource consumption.
To demonstrate this vulnerability, here’s an example.
Recommendation
Update the vue package to the latest compatible version. Followings are version details:
- Affected version(s): >= 2.0.0-alpha.1, < 3.0.0-alpha.0
- Patched version(s): 3.0.0-alpha.0
References
Related Issues
- Server secret was included in static assets and served to clients - Vulnerability
- Redwood is vulnerable to account takeover via dbAuth "forgot-password - Vulnerability
- Parse Server before v3.4.1 vulnerable to Denial of Service - CVE-2019-1020012
- Incorrect default cookie name and recommendation - Vulnerability
- Tags:
- npm
- vue
Anything's wrong? Let us know Last updated on October 24, 2024