GHSA-8cv5-p934-3hwp

Source

https://github.com/advisories/GHSA-8cv5-p934-3hwp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/12/GHSA-8cv5-p934-3hwp/GHSA-8cv5-p934-3hwp.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-8cv5-p934-3hwp

Aliases

CVE-2020-26256

Related

CVE-2020-26256

Published

2020-12-08T21:42:53Z

Modified

2023-11-01T04:52:44.399842Z

Severity

5.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H CVSS Calculator

Summary

Denial of service in fast-csv

Details

Impact

Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.

Patches

This has been patched in v4.3.6

Workarounds

You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6

References

This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable. Link to query run.

For more information

If you have any questions or comments about this advisory: * Open an issue in fast-csv

Database specific

{
    "github_reviewed": true,
    "nvd_published_at": "2020-12-08T22:15:00Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-400"
    ],
    "github_reviewed_at": "2020-12-08T21:42:31Z"
}

References

Affected packages

npm / fast-csv

Package

Name: fast-csv; View open source insights on deps.dev
Purl: pkg:npm/fast-csv

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.6

npm / @fast-csv/parse

Package

Name: @fast-csv/parse; View open source insights on deps.dev
Purl: pkg:npm/%40fast-csv/parse

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.6