CVE-2025-25283

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-25283

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25283.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25283

Aliases

GHSA-hcrg-fc28-fcg5

Published

2025-02-12T19:15:21Z

Modified

2025-02-13T08:44:42.150828Z

Summary

[none]

Details

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains a patch.

References

Affected packages

Git / github.com/jkroso/parse-duration

Affected ranges

Type: GIT
Repo: https://github.com/jkroso/parse-duration
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9e88421bfd41806fa4b473bfb28a9ee9dafc27d7

Affected versions

0.*

0.1.0

0.1.1

0.3.0

0.4.0

v0.*

v0.1.2

v0.1.3

v0.2.0

v0.2.1

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.4.0

v1.*

v1.0.3

v1.1.0

v1.1.1

v1.1.2

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.1.0

v2.1.1

v2.1.2