mattgodbolt
commented
4 years ago Hi: Can we please merge #56 as a number of downstream projects are getting CVE notifications (thanks GitHub!). Would be ace to fix this and the upstream.
Closed trianity closed 4 years ago
mattgodbolt
commented
4 years ago Hi: Can we please merge #56 as a number of downstream projects are getting CVE notifications (thanks GitHub!). Would be ace to fix this and the upstream.
santoshshiv
commented
4 years ago +1 We are also facing the same issue. Please merge the PR #56 so that upstreams can also fix this at the earliest.
brianreavis
commented
4 years ago
The sifter.js uses "csv-parse": "^2.0.0" as dependencies. The csv-parse.js was affected with Regular expression Denial of Service - ReDoS up to v.4.4.6 https://www.npmjs.com/advisories/1171 The actual version csv-parse is v.4.4.7 The suggestion is update csv-parse in sifter.js due found vulnerability.
Versions of csv-parse prior to 4.4.6 are vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option.
Remediation Upgrade to version 4.4.6 or later.