Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjdjUtcDkzNC0zaHdw
Denial of service in fast-csv
Impact
Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty
option when parsing.
Patches
This has been patched in v4.3.6
Workarounds
You will only be affected by this if you use the ignoreEmpty
parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6
References
This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP
regular expression as vulnerable.
Link to query run.
For more information
If you have any questions or comments about this advisory:
- Open an issue in fast-csv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjdjUtcDkzNC0zaHdw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Identifiers: GHSA-8cv5-p934-3hwp, CVE-2020-26256
References:
- https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
- https://github.com/C2FO/fast-csv/issues/540
- https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
- https://lgtm.com/query/8609731774537641779/
- https://www.npmjs.com/package/@fast-csv/parse
- https://www.npmjs.com/package/fast-csv
- https://www.npmjs.com/advisories/1587
- https://www.npmjs.com/advisories/1588
- https://nvd.nist.gov/vuln/detail/CVE-2020-26256
- https://github.com/advisories/GHSA-8cv5-p934-3hwp
Blast Radius: 23.1
Affected Packages
npm:@fast-csv/parse
Dependent packages: 70Dependent repositories: 4,748
Downloads: 8,271,543 last month
Affected Version Ranges: < 4.3.6
Fixed in: 4.3.6
All affected versions: 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3
All unaffected versions: 4.3.6, 5.0.0
npm:fast-csv
Dependent packages: 655Dependent repositories: 11,246
Downloads: 8,072,012 last month
Affected Version Ranges: < 4.3.6
Fixed in: 4.3.6
All affected versions: 0.0.0, 0.0.1, 0.0.2, 0.0.3, 0.1.0, 0.1.1, 0.1.2, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.3.1, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.6.0, 1.0.0, 1.1.0, 1.2.0, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 3.5.0, 3.6.0, 3.7.0, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.2.0, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5
All unaffected versions: 4.3.6, 5.0.0, 5.0.1