Skip to content

Potential exponential regex in monitor mode

low severity Published Apr 27, 2021 in redis/node-redis • Updated Jun 14, 2021

Package

npm redis (npm)

Affected versions

>= 2.6.0, < 3.1.1

Patched versions

3.1.1

Description

Impact

When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.

Patches

The problem was fixed in commit 2d11b6d and was released in version 3.1.1.

References

#1569 (GHSL-2021-026)

References

@leibale leibale published the maintainer security advisory Apr 23, 2021

CVE ID

CVE-2021-29469

Credits