debug
Regular Expression Denial of Service Open
"debug": {
"version": "2.6.8",
"bundled": true,
"dev": true,
"optional": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o
formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Recommendation:
Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.
slug
Regular Expression Denial of Service Open
"slug": {
"version": "0.9.1",
"resolved": "https://registry.npmjs.org/slug/-/slug-0.9.1.tgz",
"integrity": "sha1-rwj2CKfBFRa2F3iqgA3OhMUYz9o=",
"requires": {
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
slug is a module to slugify strings, even if they contain unicode.
slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
Recommendation:
There is currently no fix for this issue, consider submitting a pull request for this issue
tough-cookie
Regular Expression Denial of Service Open
"tough-cookie": {
"version": "2.3.2",
"bundled": true,
"dev": true,
"optional": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.
Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.
At the time of writing all version <=2.3.2 are vulnerable
Recommendation:
Please update to version 2.3.3 or greater