Description
Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.
Recommendation
Update the sshpk package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.13.2
- Patched version(s): 1.13.2
References
Related Issues
- Regular Expression Denial of Service in ssri - CVE-2018-7651
- Regular Expression Denial of Service in highcharts (GHSA-xmc8-cjfr-phx3) - CVE-2018-20801
- uap-core Regular Expression Denial of Service issue - CVE-2018-20164
- Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110
- Tags:
- npm
- sshpk
Anything's wrong? Let us know Last updated on January 31, 2023