Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE3NWctMjQ5Ni1teHBw
Regular Expression Denial of Service in parsejson
Affected versions of parsejson are vulnerable to a regular expression denial of service when parsing untrusted user input.
Recommendation
The parsejson package has not been functionally updated since it was initially released.
Additionally, it provides functionality which is natively included in Node.js, and therefore the native JSON.parse() should be used, for both performance and security reasons.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXE3NWctMjQ5Ni1teHBw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 6 years ago
Updated: almost 2 years ago
Identifiers: GHSA-q75g-2496-mxpp, CVE-2017-16113
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-16113
- https://github.com/get/parsejson/issues/4
- https://github.com/advisories/GHSA-q75g-2496-mxpp
- https://www.npmjs.com/advisories/528
Blast Radius: 0.0
Affected Packages
npm:parsejson
Dependent packages: 55Dependent repositories: 149,707
Downloads: 1,295,274 last month
Affected Version Ranges: <= 0.0.3
No known fixed version
All affected versions: 0.0.1, 0.0.2, 0.0.3