GHSA-g36h-6r4f-3mqp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-g36h-6r4f-3mqp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-g36h-6r4f-3mqp/GHSA-g36h-6r4f-3mqp.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-g36h-6r4f-3mqp
- Aliases
- Published
- 2018-07-24T20:16:11Z
- Modified
- 2023-11-01T04:47:52.255937Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Regular Expression Denial of Service in string package
- Details
-
Affected versions of
stringare vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into theunderscoreorunescapeHTMLmethods.Recommendation
There is currently no direct patch for this vulnerability.
Currently, the best solution is to avoid passing user input to the
underscoreandunescapeHTMLmethods.Alternatively, a user provided patch is available in Pull Request #217, however this patch has not been tested, nor has it been merged by the package author.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-400" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:35:57Z" }- References
Affected packages
npm / string
Package
- Name
- string
- View open source insights on deps.dev
- Purl
- pkg:npm/string