Skip to content

Regular Expression Denial of Service in csv-parse

high severity Published Oct 15, 2019 • Updated Jul 27, 2021

Package

npm csv-parse (npm)

Affected versions

< 4.4.6

Patched versions

4.4.6

Description

Versions of csv-parse prior to 4.4.6 are vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large specially-crafted input very slowly, leading to a Denial of Service. This is triggered when using the cast option.

Recommendation

Upgrade to version 4.4.6 or later.

References

CVE ID

CVE-2019-17592

CVSS Score

7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H