Regular Expression Denial of Service in slug

Description

Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.

The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,

About 50k characters can block the event loop for 2 seconds.

Recommendation

Update the slug package to the latest compatible version. Followings are version details:

• Affected version(s): <= 0.9.1
• Patched version(s): 0.9.2

References

• GHSA-jxqq-cqm6-pfq9
• www.npmjs.com
• CVE-2017-16117
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Regular Expression Denial Of Service in uri-js - CVE-2017-16021
• Regular Expression Denial of Service in marked - marked - CVE-2017-16114
• Regular Expression Denial of Service in string package - CVE-2017-16116
• Regular Expression Denial of Service in timespan - CVE-2017-16115

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

slug