JoshuaKGoldberg
commented
10 months ago See https://github.com/debug-js/debug/issues/924#issuecomment-1539047726. Thanks for filing, but this isn't a good use of anybody's time to investigate.
Closed kat2codes closed 10 months ago
JoshuaKGoldberg
commented
10 months ago See https://github.com/debug-js/debug/issues/924#issuecomment-1539047726. Thanks for filing, but this isn't a good use of anybody's time to investigate.
Prerequisites
faqlabelnode_modules/.bin/mocha --version(Local) andmocha --version(Global). We recommend that you not install Mocha globally.Description
I would like to report a high vulnerability that has been detected in one of the dependencies of Mocha. The vulnerability is present in the debug package, specifically version 4.3.4. The vulnerability is classified as CWE-1333: Inefficient Regular Expression Complexity.
Package: debug Version: 4.3.4 (latest) CWE: CWE-1333 (Inefficient Regular Expression Complexity) Description: In NPM debug, the enable function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). This is a different issue than CVE-2017-16137.
Please note that I did not directly install or utilize debug package. Instead, it is a dependency of the Mocha package I am currently using, specifically version 10.2.0.
I kindly request the necessary actions to be taken to address and remediate this vulnerability to ensure the security and stability of the mocha framework. If any further info is required, please let me know.
Thanks!
Additional Information