Node Security Platform detects an advisory in forever's dependencies #955
Comments
|
Regular Expression Denial of Service (ReDoS) High severity Introduced through: forever@foreverjs/forever#3aa17a1088eb812eb03b49219e329fb4a48b4dfc › timespan@2.3.0 timespan is a JavaScript TimeSpan library for node.js (and soon the browser). Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It parses dates using regex strings, which may cause a slowdown of 10 seconds per 50k characters. The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service. |
|
I've opened a PR that switches from |
|
New version is out with a fix! |
The advisory is for the timespan package:
https://nodesecurity.io/advisories/533
indexzero/TimeSpan.js#10
This means all projects using NSP and forever will have test unit failures.
It is unclear if that package is maintained. Last commit was in Aug 2016.
The text was updated successfully, but these errors were encountered: