Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWY1MjMtMmY1ai1nZmNn

High EPSS: 0.0028% (0.50898 Percentile) EPSS:
Permalink JSON

Regular Expression Denial of Service in timespan

Affected Packages Affected Versions Fixed Versions
npm:timespan <= 2.3.0 No known fixed version
40 Dependent packages
49,844 Dependent repositories
539,193 Downloads last month

Affected Version Ranges

All affected versions

2.0.0, 2.0.1, 2.1.0, 2.2.0, 2.3.0

Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.

The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.

Recommendation

No direct patch is available for this vulnerability.

Currently, the best available solution is to use a functionally equivalent alternative package.

It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.

References:

Identifiers

GHSA-f523-2f5j-gfcg

CVE-2017-16115

Risk

Severity

High

EPSS

EPSS Percentage: 0.0028

EPSS Percentile: 0.50898

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/indexzero/TimeSpan.js

Date and time

Published

almost 7 years ago

Updated

almost 2 years ago

API

JSON