Description
Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 3.3.3
References
Related Issues
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- Payload's SQLite adapter Session Fixation vulnerability - CVE-2025-4644
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- secp256k1-node allows private key extraction over ECDH - CVE-2024-48930
- Tags:
- npm
- string
Anything's wrong? Let us know Last updated on September 12, 2023