Regular expression denial of service in devcert

Severity:: High

Description

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method

Recommendation

Update the devcert package to the latest compatible version. Followings are version details:

Affected version(s): < 1.2.1
Patched version(s): 1.2.1

References

GHSA-fp36-299x-pwmw
research.jfrog.com
CVE-2022-1929
CWE-1333
CAPEC-310
OWASP 2021-A6

Related Issues

min-document vulnerable to prototype pollution - CVE-2025-57352
Vite bypasses server.fs.deny when using ?raw?? - CVE-2025-30208
GetmeUK ContentTools Cross-Site Scripting (XSS) - CVE-2025-2699
node-gettext vulnerable to Prototype Pollution - CVE-2024-21528

Tags:: npm; devcert

Anything's wrong? Let us know Last updated on November 29, 2023