Description
Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 3.3.3
References
Related Issues
- Regular Expression Denial of Service in slug - CVE-2017-16117
- Regular Expression Denial of Service in debug - CVE-2017-16137
- Regular Expression Denial Of Service in uri-js - CVE-2017-16021
- Regular Expression Denial of Service in moment - CVE-2017-18214
- Tags:
- npm
- string
Anything's wrong? Let us know Last updated on September 12, 2023