Ecosyste.ms: Advisories

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjdjUtcDkzNC0zaHdw

Denial of service in fast-csv

Impact

Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.

Patches

This has been patched in v4.3.6

Workarounds

You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6

References

This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Link to query run.

For more information

If you have any questions or comments about this advisory:

• Open an issue in fast-csv

Permalink: https://github.com/advisories/GHSA-8cv5-p934-3hwp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLThjdjUtcDkzNC0zaHdw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago

CVSS Score: 5.7
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H

Identifiers: GHSA-8cv5-p934-3hwp, CVE-2020-26256
References:

• https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
• https://github.com/C2FO/fast-csv/issues/540
• https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
• https://lgtm.com/query/8609731774537641779/
• https://www.npmjs.com/package/@fast-csv/parse
• https://www.npmjs.com/package/fast-csv
• https://www.npmjs.com/advisories/1587
• https://www.npmjs.com/advisories/1588
• https://nvd.nist.gov/vuln/detail/CVE-2020-26256
• https://github.com/advisories/GHSA-8cv5-p934-3hwp

Repository: https://github.com/C2FO/fast-csv
Blast Radius: 23.1

Affected Packages