Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTljcDMtZmg1eC14ZmNq
Regular Expression Denial of Service in charset
Affected versions of charset are susceptible to a regular expression denial of service.
The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length.
If node was compiled using the -DHTTP_MAX_HEADER_SIZE however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node.
Recommendation
Update to version 1.0.1 or later.
Permalink: https://github.com/advisories/GHSA-9cp3-fh5x-xfcjJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTljcDMtZmg1eC14ZmNq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-9cp3-fh5x-xfcj, CVE-2017-16098
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16098
- https://github.com/node-modules/charset/issues/10
- https://github.com/node-modules/charset/pull/11
- https://github.com/node-modules/charset/commit/effda0c48c51b47a47f4cad7db0c51ee7407cc1b
- https://github.com/advisories/GHSA-9cp3-fh5x-xfcj
Blast Radius: 27.6
Affected Packages
npm:charset
Dependent packages: 70Dependent repositories: 4,856
Downloads: 3,798,673 last month
Affected Version Ranges: < 1.0.1
Fixed in: 1.0.1
All affected versions: 0.0.1, 0.0.2, 0.1.0, 1.0.0
All unaffected versions: 1.0.1