Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1MjMtMmY1ai1nZmNn
Regular Expression Denial of Service in timespan
Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.
The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.
Recommendation
No direct patch is available for this vulnerability.
Currently, the best available solution is to use a functionally equivalent alternative package.
It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1MjMtMmY1ai1nZmNn
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: 8 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Identifiers: GHSA-f523-2f5j-gfcg, CVE-2017-16115
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16115
- https://github.com/indexzero/TimeSpan.js/issues/10
- https://github.com/advisories/GHSA-f523-2f5j-gfcg
- https://www.npmjs.com/advisories/533
Blast Radius: 35.2
Affected Packages
npm:timespan
Dependent packages: 40Dependent repositories: 49,844
Downloads: 436,632 last month
Affected Version Ranges: <= 2.3.0
No known fixed version
All affected versions: 2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0