Regular Expression Denial of Service in string package

Severity:: High

Description

Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Recommendation

No fix is available yet. Followings are affected versions:

<= 3.3.3

References

GHSA-g36h-6r4f-3mqp
www.npmjs.com
CVE-2017-16116
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Regular Expression Denial of Service in slug - CVE-2017-16117
Regular Expression Denial of Service in marked - marked - CVE-2017-16114
Regular Expression Denial of Service in timespan - CVE-2017-16115
Regular Expression Denial of Service in tough-cookie - CVE-2017-15010

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; string

Anything's wrong? Let us know Last updated on September 12, 2023