Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTRndzMtOGY3Ny1mNzJj

Moderate EPSS: 0.0034% (0.55689 Percentile) EPSS:
Permalink JSON

Regular expression denial of service in codemirror

Affected Packages Affected Versions Fixed Versions
npm:codemirror
PURL: pkg:npm/codemirror
< 5.58.2 5.58.2
4,580 Dependent packages
112,084 Dependent repositories
15,905,869 Downloads last month

Affected Version Ranges

All affected versions

2.33.0, 3.11.1, 3.12.0, 3.13.0, 3.14.1, 3.15.0, 3.16.0, 3.17.0, 3.18.0, 3.19.0, 3.20.0, 3.21.0, 3.22.0, 3.23.0, 3.24.0, 4.0.3, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 4.11.0, 4.12.0, 4.13.0, 5.0.0, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0, 5.12.0, 5.13.0, 5.13.2, 5.13.4, 5.14.0, 5.14.2, 5.15.0, 5.15.2, 5.16.0, 5.17.0, 5.18.0, 5.18.2, 5.18.3, 5.19.0, 5.20.0, 5.20.2, 5.21.0, 5.22.0, 5.22.2, 5.23.0, 5.24.0, 5.24.2, 5.25.0, 5.25.2, 5.26.0, 5.27.0, 5.27.2, 5.27.4, 5.28.0, 5.29.0, 5.30.0, 5.31.0, 5.32.0, 5.33.0, 5.34.0, 5.35.0, 5.36.0, 5.37.0, 5.38.0, 5.39.0, 5.39.2, 5.40.0, 5.40.2, 5.41.0, 5.42.0, 5.42.2, 5.43.0, 5.44.0, 5.45.0, 5.46.0, 5.47.0, 5.48.0, 5.48.2, 5.48.4, 5.49.0, 5.49.2, 5.50.0, 5.50.2, 5.51.0, 5.52.0, 5.52.2, 5.53.0, 5.53.2, 5.54.0, 5.55.0, 5.56.0, 5.57.0, 5.58.0, 5.58.1

All unaffected versions

5.58.2, 5.58.3, 5.59.0, 5.59.1, 5.59.2, 5.59.3, 5.59.4, 5.60.0, 5.61.0, 5.61.1, 5.62.0, 5.62.1, 5.62.2, 5.62.3, 5.63.0, 5.63.1, 5.63.2, 5.63.3, 5.64.0, 5.65.0, 5.65.1, 5.65.2, 5.65.3, 5.65.4, 5.65.5, 5.65.6, 5.65.7, 5.65.8, 5.65.9, 5.65.10, 5.65.11, 5.65.12, 5.65.13, 5.65.14, 5.65.15, 5.65.16, 5.65.17, 5.65.18, 5.65.19, 5.65.20, 6.0.0, 6.0.1, 6.0.2, 6.65.7

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

References:

Identifiers

GHSA-4gw3-8f77-f72c

CVE-2020-7760

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.0034

EPSS Percentile: 0.55689

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/codemirror/CodeMirror

Date and time

Published

over 4 years ago

Updated

almost 3 years ago

API

JSON