search

cayasso / mongo-oplog

Watch mongodb oplog in a simple way
380 stars 91 forks source link

regular expression denial of service vulnerability #56

Closed zvictor closed 6 years ago

zvictor commented 6 years ago

I couldn't find anyone reporting this yet, which is weird to me, so here it goes:

This package fails the NSP check because debug < 2.6.9 is vulnerable to regular expression denial of service.

  Regular Expression Denial of Service
Name debug
CVSS 3.7 (Low)
Installed 2.3.3
Vulnerable <= 2.6.8 >= 3.0.0 <= 3.0.1
Patched >= 2.6.9 < 3.0.0 >= 3.1.0
Path mongo-oplog@2.0.2 > debug@2.3.3
More Info https://nodesecurity.io/advisories/534

the debug package needs to be updated to at least version 2.6.9.

cayasso commented 6 years ago

@zvictor Thanks for reporting this, the issue is that old version of debug module, I will update and push a new release.

cayasso commented 6 years ago

Fixed here and will soon be out in new release.

zvictor commented 6 years ago

thank you so much for the quick reply :)