CVE-2018-7158

Source
https://nvd.nist.gov/vuln/detail/CVE-2018-7158
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-7158.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-7158
Related
Published
2018-05-17T14:29:00Z
Modified
2024-09-03T02:18:54.402041Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

The 'path' module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, splitPathRe, used within the 'path' module for the various path parsing functions, including path.dirname(), path.extname() and path.parse() was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

References

Affected packages

Alpine:v3.10 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.11 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.12 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.13 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.14 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.15 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.16 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.17 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.18 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.19 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.20 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.8 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Alpine:v3.9 / nodejs

Package

Name
nodejs
Purl
pkg:apk/alpine/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.11.0-r0

Affected versions

4.*

4.4.3-r0
4.4.4-r0
4.4.5-r0
4.4.7-r0
4.5.0-r0

6.*

6.9.1-r0
6.9.1-r1
6.9.2-r0
6.9.4-r0
6.9.4-r1
6.9.5-r0
6.9.5-r1
6.10.0-r0
6.10.1-r0
6.10.3-r0
6.11.0-r0
6.11.1-r0
6.11.1-r1
6.11.1-r2
6.11.2-r0
6.11.3-r0
6.11.4-r0
6.11.5-r0

8.*

8.9.0-r0
8.9.1-r0
8.9.2-r0
8.9.3-r0
8.9.3-r1
8.9.4-r0
8.10.0-r0

Debian:11 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0~dfsg-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:12 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0~dfsg-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Debian:13 / nodejs

Package

Name
nodejs
Purl
pkg:deb/debian/nodejs?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.0~dfsg-1

Ecosystem specific

{
    "urgency": "unimportant"
}

Git / github.com/nodejs/node

Affected ranges

Affected versions

v4.*

v4.0.0
v4.1.0
v4.1.1
v4.1.2