GHSA-f523-2f5j-gfcg

Suggest an improvement
Source
https://github.com/advisories/GHSA-f523-2f5j-gfcg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-f523-2f5j-gfcg/GHSA-f523-2f5j-gfcg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-f523-2f5j-gfcg
Aliases
  • CVE-2017-16115
Published
2018-08-29T23:04:14Z
Modified
2023-11-08T03:59:05.707021Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Regular Expression Denial of Service in timespan
Details

Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.

The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.

Recommendation

No direct patch is available for this vulnerability.

Currently, the best available solution is to use a functionally equivalent alternative package.

It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.

Database specific 
{
    "github_reviewed_at": "2020-06-16T21:33:38Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "nvd_published_at": null,
    "severity": "HIGH",
    "github_reviewed": true
}
References

Affected packages

npm / timespan

Package

Name
timespan
View open source insights on deps.dev
Purl
pkg:npm/timespan

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
2.3.0