Skip to content

Regular Expression Denial of Service in debug

Low severity GitHub Reviewed Published Aug 9, 2018 • Updated Aug 13, 2022

Package

npm debug (npm)

Affected versions

< 2.6.9
>= 3.0.0, < 3.1.0

Patched versions

2.6.9
3.1.0

Description

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.x.x: Update to version 3.1.0 or later.

References

Severity

Low

Weaknesses

CVE ID

CVE-2017-16137

GHSA ID

GHSA-gxpj-cx7g-858c

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.