Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhmaHAtZ21oOC1yOHYy

High EPSS: 0.00399% (0.59505 Percentile) EPSS:
Permalink JSON

printf vulnerable to Regular Expression Denial of Service (ReDoS)

Affected Packages Affected Versions Fixed Versions
npm:printf < 0.6.1 0.6.1
211 Dependent packages
18,469 Dependent repositories
1,209,620 Downloads last month

Affected Version Ranges

All affected versions

0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.7, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.3.0, 0.4.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0

All unaffected versions

0.6.1

The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex string

/\%(?:\(([\w_.]+)\)|([1-9]\d*)\$)?([0 +\-\]*)(\*|\d+)?(\.)?(\*|\d+)?[hlL]?([\%bscdeEfFgGioOuxX])/g

in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.

References:

Identifiers

GHSA-xfhp-gmh8-r8v2

CVE-2021-23354

Risk

Severity

High

EPSS

EPSS Percentage: 0.00399

EPSS Percentile: 0.59505

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/adaltas/node-printf

Date and time

Published

over 4 years ago

Updated

almost 2 years ago

API

JSON