Regular expression denial of service in codemirror · CVE-2020-7760 · GitHub Advisory Database · GitHub

Regular expression denial of service in codemirror

Moderate severity GitHub Reviewed Published May 10, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

codemirror (npm)

Affected versions

< 5.58.2

Patched versions

5.58.2

Description

This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vulnerability of the regex is mainly due to the sub-pattern (s|/.?/)

References

Published by the National Vulnerability Database

Oct 30, 2020

Reviewed Apr 21, 2021

Published to the GitHub Advisory Database May 10, 2021

Last updated Feb 1, 2023

Severity

Moderate

5.3

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L