debug
Regular Expression Denial of Service Open
"debug": {
"version": "2.6.8",
"bundled": true,
"dev": true,
"optional": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o
formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Recommendation:
Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.
tough-cookie
Regular Expression Denial of Service Open
"tough-cookie": {
"version": "2.3.2",
"bundled": true,
"dev": true,
"optional": true,
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds.
Unless node was compiled using the -DHTTPMAXHEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking.
At the time of writing all version <=2.3.2 are vulnerable
Recommendation:
Please update to version 2.3.3 or greater
marked
Regular Expression Denial of Service Open
"marked": {
"version": "0.3.17",
"resolved": "https://registry.npmjs.org/marked/-/marked-0.3.17.tgz",
"integrity": "sha512-+AKbNsjZl6jFfLPwHhWmGTqE009wTKn3RTmn9K8oUKHrX/abPJjtcRtXpYB/FFrwPJRUA86LX/de3T0knkPCmQ==",
"dev": true
- Read upRead up
- Exclude checks
Regular Expression Denial of Service
Overview:
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
Recommendation:
Consider another markdown parser until the issue can be addressed.