Description
Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.
The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.
Recommendation
No fix is available yet. Followings are affected versions:
- <= 2.3.0
References
Related Issues
- Regular Expression Denial of Service in marked (GHSA-x5pg-88wf-qq4p) - CVE-2017-16114
- Regular Expression Denial of Service in slug - CVE-2017-16117
- Regular Expression Denial of Service in moment - CVE-2017-18214
- Regular Expression Denial Of Service in uri-js - CVE-2017-16021
- Tags:
- npm
- timespan
Anything's wrong? Let us know Last updated on September 13, 2023