Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW12bWYtY3ZmeC1xZzU1
Regular Expression Denial of Service in bleach
All versions of the bleach package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function.
Recommendation
The bleach package is not currently maintained, and has not seen an update since 2014.
To mitigate this issue, it is necessary to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..
Permalink: https://github.com/advisories/GHSA-mvmf-cvfx-qg55JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW12bWYtY3ZmeC1xZzU1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-mvmf-cvfx-qg55, CVE-2014-8881
References:
- https://www.npmjs.com/advisories/47
- https://nvd.nist.gov/vuln/detail/CVE-2014-8881
- https://snyk.io/vuln/npm:bleach:20151024
- https://github.com/advisories/GHSA-mvmf-cvfx-qg55
Affected Packages
npm:bleach
Dependent packages: 3Dependent repositories: 8
Downloads: 3,315 last month
Affected Version Ranges: >= 0.0.0
No known fixed version
All affected versions: 0.0.0, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.2.1, 0.3.0