search

OS2iot / OS2iot-backend

This repository contains the backend to the project OS2iot.
Mozilla Public License 2.0
10 stars 7 forks source link

Fix CVE–2022–25858 #194

Closed debricked[bot] closed 1 year ago

debricked[bot] commented 2 years ago

CVE–2022–25858

Vulnerable dependency:     terser (npm)    5.12.0

Vulnerability details

Description ### NVD > The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions. ### GitHub > Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS > > The package terser before 4.8.1, from 5.0.0 and before 5.14.2 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure usage of regular expressions.
CVSS details - 7.5   |CVSS3 metrics|| |:-|:-| |Attack Vector|**Network**| |Attack Complexity|**Low**| |Privileges Required|**None**| |User interaction|**None**| |Scope|**Unchanged**| |Confidentiality|**None**| |Integrity|**None**| |Availability|**High**|
References     [NVD - CVE-2022-25858](https://nvd.nist.gov/vuln/detail/CVE-2022-25858)[](https://nvd.nist.gov/vuln/detail/CVE-2022-25858)     [THIRD PARTY](https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135)[](https://github.com/terser/terser/blob/master/lib/compress/evaluate.js%23L135)     [backport fix to potential regexp DDOS · terser/terser@d8cc569 · GitHub](https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012)[](https://github.com/terser/terser/commit/d8cc5691be980d663c29cc4d5ce67e852d597012)     [fix potential regexp DDOS · terser/terser@a4da734 · GitHub](https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b)[](https://github.com/terser/terser/commit/a4da7349fdc92c05094f41d33d06d8cd4e90e76b)     [terser/evaluate.js at master · terser/terser · GitHub](https://github.com/terser/terser/blob/master/lib/compress/evaluate.js#L135)[](https://github.com/terser/terser/blob/master/lib/compress/evaluate.js#L135)     [Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS · CVE-2022-25858 · GitHub Advisory Database · GitHub](https://github.com/advisories/GHSA-4wf5-vphf-c2xc)[](https://github.com/advisories/GHSA-4wf5-vphf-c2xc)

 

Related information

:pushpin: Remember! Check the changes to ensure they don't introduce any breaking changes.
:books: Read more about the CVE

 

AramAlsabti commented 1 year ago

Duplicate of https://github.com/OS2iot/OS2IoT-backend/pull/185