Regular Expression Denial of Service in papaparse

Description

Versions of papaparse prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.

Recommendation

Update the papaparse package to the latest compatible version. Followings are version details:

• Affected version(s): < 5.2.0
• Patched version(s): 5.2.0

References

• GHSA-qvjc-g5vr-mfgr
• snyk.io
• vuldb.com
• CVE-2020-36649
• CWE-185
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Knwl.js Regular Expression Denial of Service vulnerability - CVE-2020-26306
• Regular Expression Denial of Service (ReDoS) in lodash - lodash.trim - CVE-2020-28500
• Regular Expression Denial of Service (ReDoS) in lodash - lodash.trimend - CVE-2020-28500
• useragent Regular Expression Denial of Service vulnerability - CVE-2020-26311

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

papaparse