Regular Expression Denial of Service (ReDoS)
Vulnerable module: fresh
Introduced through: express@4.11.2
Detailed paths
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › express@4.11.2 › fresh@0.2.4
Remediation: Upgrade to express@4.15.5.
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › express@4.11.2 › send@0.11.1 › fresh@0.2.4
Remediation: Upgrade to express@4.15.5.
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › express@4.11.2 › serve-static@1.8.1 › send@0.11.1 › fresh@0.2.4
Remediation: Upgrade to express@4.15.5.
Overview
fresh is HTTP response freshness testing.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. A Regular Expression (/ , /) was used for parsing HTTP headers and take about 2 seconds matching time for 50k characters.
Regular Expression Denial of Service (ReDoS) Vulnerable module: fresh Introduced through: express@4.11.2 Detailed paths Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › express@4.11.2 › fresh@0.2.4 Remediation: Upgrade to express@4.15.5. Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › express@4.11.2 › send@0.11.1 › fresh@0.2.4 Remediation: Upgrade to express@4.15.5. Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › express@4.11.2 › serve-static@1.8.1 › send@0.11.1 › fresh@0.2.4 Remediation: Upgrade to express@4.15.5. Overview fresh is HTTP response freshness testing.
Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. A Regular Expression (/ , /) was used for parsing HTTP headers and take about 2 seconds matching time for 50k characters.