Regular Expression Denial of Service in sshpk

Description

Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Recommendation

Update the sshpk package to the latest compatible version. Followings are version details:

• Affected version(s): < 1.13.2
• Patched version(s): 1.13.2

References

• GHSA-2m39-62fm-q8r3
• hackerone.com
• www.npmjs.com
• CVE-2018-3737
• CWE-185
• CWE-770
• CAPEC-310
• OWASP 2021-A6

Related Issues

• uap-core Regular Expression Denial of Service issue - CVE-2018-20164
• Regular Expression Denial of Service in highcharts - highcharts - CVE-2018-20801
• Regular Expression Denial of Service in ssri - CVE-2018-7651
• Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

sshpk