Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Alternate solution to CWE-1333 | Inefficient Regular Expression Complexity #957

Open
provDannyLaw opened this issue Feb 21, 2024 · 2 comments

Comments

@provDannyLaw
Copy link

Hi, I don't know where to put this obvious suggestion, but it seems like this issue gets created multiple times and then summarily closed off.

Rather to ask for an ETA on a fix (the author has made it explicitly clear there will be no fix), consider that checkmarx does allow suppression of a vulnerability.

The CVE reads "Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service)." If you identified that this NPM is NOT used on a browser, or some front-end where there is some possibility of injection, you could safely assume that this is not exploitable and close it off. Most likely, debug is used on the backend of your applications.

Downgrade

Hope this helps.

@iperezmx87
Copy link

iperezmx87 commented Sep 17, 2024

Good evening:

Sadly I have the same problem with this. And also, in my workplace exists a cibersecurity policy that rescricts the use of checkmarx's vulnerable despendencies :(

Could you please review PR fix? It seems a good solution for it.

@fatihturgut
Copy link

Waiting for this fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

3 participants