Open ghost1542 opened 7 years ago
Regular Expression Denial of Service (ReDoS)
High severity Vulnerable module: timespan Introduced through: timespan@2.3.0 Detailed paths
Introduced through: forever@foreverjs/forever#3aa17a1088eb812eb03b49219e329fb4a48b4dfc › timespan@2.3.0 Overview
timespan is a JavaScript TimeSpan library for node.js (and soon the browser).
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 10 seconds per 50k characters.
The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.
I've opened a PR that switches from timespan
to date-difference
please check!
New version is out with a fix!
The advisory is for the timespan package:
https://nodesecurity.io/advisories/533 https://github.com/indexzero/TimeSpan.js/issues/10
This means all projects using NSP and forever will have test unit failures.
It is unclear if that package is maintained. Last commit was in Aug 2016.