Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYycDYtNG1wNy0zcjl2
Regular Expression Denial of Service in underscore.string
Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).
The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.
Recommendation
Upgrade to version 3.3.5 or higher.
Permalink: https://github.com/advisories/GHSA-v2p6-4mp7-3r9vJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXYycDYtNG1wNy0zcjl2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 5 years ago
Updated: over 1 year ago
Identifiers: GHSA-v2p6-4mp7-3r9v
References:
- https://github.com/epeli/underscore.string/issues/510
- https://github.com/epeli/underscore.string/pull/517
- https://github.com/epeli/underscore.string/commit/f486cd684c94c12db48b45d52b1472a1b9661029
- https://www.npmjs.com/advisories/745
- https://github.com/advisories/GHSA-v2p6-4mp7-3r9v
Blast Radius: 0.0
Affected Packages
npm:underscore.string
Dependent packages: 3,332Dependent repositories: 255,082
Downloads: 8,354,047 last month
Affected Version Ranges: < 3.3.5
Fixed in: 3.3.5
All affected versions: 0.9.2, 1.0.0, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 2.0.0, 2.1.0, 2.1.1, 2.2.1, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.4.0, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.1.0, 3.1.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.3.0, 3.3.2, 3.3.3, 3.3.4
All unaffected versions: 3.3.5, 3.3.6