-
-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A vulnerability has been reported: CVE-2021-29059 #27
Comments
I was not aware of that one. Thanks for letting me know. |
@yetingli It's quite unprofessional to publish a CVE without consulting with the maintainer first. I replied to your email and never got a response. The CVE also has an incorrect version range. It should be 2.1.0 to 4.2.2. Please correct this ASAP. |
Thank you for reminding me. I released a CVE because these issues had been fixed. My original intention was to hope that everyone can use your package Besides, I would like to kindly remind you that even though a regex has the polynomial (i.e., not exponential) complexity, it also has a ReDoS vulnerability, such as Stack Overflow 2016 Outage. Warmest regards, |
I'm ok with keeping it, but the version range should be fixed. |
I will change this version range ASAP. Thank you and have a nice day. |
this is done |
Source: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-29059
I'm not an expert in this kind of vulnerabilities, but I've recognized the warnings coming up and wanted to let you know as I've recognized that this topic hasn't been mentioned and/or discussed here.
The text was updated successfully, but these errors were encountered: