mime is a comprehensive, compact MIME type module.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[.\/\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about Regular Expression Denial of Service (ReDoS) on our blog.
eran10
commented
6 years ago
Vulnerable module: mime@1.2.11
mime is a comprehensive, compact MIME type module.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[.\/\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
You can read more about Regular Expression Denial of Service (ReDoS) on our blog.