Description
Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.
The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,
About 50k characters can block the event loop for 2 seconds.
Recommendation
Update the slug package to the latest compatible version. Followings are version details:
- Affected version(s): <= 0.9.1
- Patched version(s): 0.9.2
References
Related Issues
- Mammoth is vulnerable to Directory Traversal - CVE-2025-11849
- json-logic-js Command Injection vulnerability - CVE-2021-4329
- Bootstrap Cross-site Scripting vulnerability - CVE-2016-10735
- protobufjs Prototype Pollution vulnerability - CVE-2023-36665
- Tags:
- npm
- slug
Anything's wrong? Let us know Last updated on January 12, 2023