Description
Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 3.3.3
References
Related Issues
- Elliptic's verify function omits uniqueness validation - CVE-2024-48949
- Nuxt DevTools vulnerable to cross-site scripting (XSS) - CVE-2025-52662
- Strapi is vulnerable to Insufficient Session Expiration - CVE-2025-3930
- Regular Expression Denial of Service (ReDoS) in lodash - CVE-2020-28500
- Tags:
- npm
- string
Anything's wrong? Let us know Last updated on September 12, 2023