Open secdevlpr26 opened 1 year ago
Is anyone willing to work on this?
Any update on this?
One of the lines referred to be the CVE has the following regex \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+)?x)$
Would changing it to \s+([1-9][0-9]*w|[0-9]+(?:\.[0-9]+|)x)$
be enough?
\s+([1-9][0-9]*w|[0-9]+(?=(\.[0-9]+|))\2x)$
is another way that should stop the backtracking (based this upon https://snyk.io/blog/redos-and-catastrophic-backtracking/.
I stumbled upon a fork of this maintained by terser: https://www.npmjs.com/package/html-minifier-terser
Probably the way to go.
any updates?
any updates?
@littleblack111 as mentioned above, along with the slew of references to others switching, html-minifier-terser is probably the best solution. Aside from some repo adjustments this solution appears to be fairly abandoned, especially since the package hasn't been updated in 5 years, while html-minified-terser
is maintained by Terser.
Now I've just got to remember what project I'm involved in that has this one as an issue!
any update on this issue?
any update on this issue?
@Hessah95 The comments in this thread point to another solution that's maintained.
html-minifier-terser latest version (7.2.0) still has the vulnerability? I just installed it and it says so.
A Regular Expression Denial of Service (ReDoS) flaw was found in kangax html-minifier 4.0.0 via the candidate variable in htmlminifier.js. The ReDoS vulnerability can be mitigated with several best practices described here: [https://snyk.io/blog/redos-and-catastrophic-backtracking/]