Fix CVE–2016–2537

[debricked-staging]

CVE–2016–2537

Vulnerable dependency:     is-my-json-valid (Yarn)    2.16.0    2.15.0

Vulnerability details

Description

Improper Input Validation

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

GitHub

Regular Expression Denial of Service in is-my-json-valid

Version of is-my-json-valid before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.

Recommendation

Update to version 1.4.1, 2.17.2 or later.

NVD

The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.

CVSS details - 7.5

 

CVSS3 metrics
Attack Vector	Network
Attack Complexity	Low
Privileges Required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity	None
Availability	High

References

    NVD - CVE-2016-2537
    Regular Expression Denial of Service in is-my-json-valid · CVE-2016-2537 · GitHub Advisory Database · GitHub
    Moderate severity vulnerability that affects is-my-json-valid · GHSA-ccq6-3qx5-vmqx · GitHub Advisory Database · GitHub
    fix utc-millisec regex to avoid a ddos attack · mafintosh/is-my-json-valid@eca4beb · GitHub
    nodesecurity.io - nodesecurity Resources and Information.
    Merge pull request #159 from mafintosh/safe-regex · mafintosh/is-my-json-valid@b3051b2 · GitHub
    Regular Expression Denial of Service in is-my-json-valid · CVE-2016-2537 · GitHub Advisory Database · GitHub
    HackerOne
    Avoid catastrophic backtracking by LinusU · Pull Request #159 · mafintosh/is-my-json-valid · GitHub
    THIRD PARTY

 

Related information

📌 Remember! Check the changes to ensure they don't introduce any breaking changes.
📚 Read more about the CVE