Regular Expression Denial of Service in millisecond

Description

Versions of millisecond prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Recommendation

Update the millisecond package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.1.2
• Patched version(s): 0.1.2

References

• GHSA-m489-xr35-fjxr
• www.npmjs.com
• CWE-1333
• CWE-400

Related Issues

• Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) - CVE-2020-8203
• Cross-site Scripting (XSS) in serialize-javascript - CVE-2024-11831
• QMarkdown Cross-Site Scripting (XSS) vulnerability - CVE-2025-43954
• MathLive's Lack of Escaping of HTML allows for XSS - CVE-2025-29049

Tags:

npm

millisecond