forked from snipe/snipe-it
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WS-2020-0097 (High) detected in papaparse-4.4.0.js, papaparse-4.4.0.tgz #86
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
WS-2020-0097 - High Severity Vulnerability
papaparse-4.4.0.js
Fast and powerful CSV parser for the browser that supports web workers and streaming large files. Converts CSV to JSON and JSON to CSV.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/PapaParse/4.4.0/papaparse.js
Path to dependency file: /node_modules/papaparse/player/player.html
Path to vulnerable library: /node_modules/papaparse/player/../papaparse.js
Dependency Hierarchy:
papaparse-4.4.0.tgz
Fast and powerful CSV parser for the browser that supports web workers and streaming large files. Converts CSV to JSON and JSON to CSV.
Library home page: https://registry.npmjs.org/papaparse/-/papaparse-4.4.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/papaparse/package.json
Dependency Hierarchy:
Found in base branch: master
papaparse before 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The parse function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.
Publish Date: 2020-05-19
URL: WS-2020-0097
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1515
Release Date: 2020-05-19
Fix Resolution: 5.2.0
The text was updated successfully, but these errors were encountered: