Skip to content

Regular Expression Denial of Service in debug

Low severity GitHub Reviewed Published Aug 9, 2018 to the GitHub Advisory Database • Updated Mar 25, 2024

Package

npm debug (npm)

Affected versions

< 2.6.9
>= 3.0.0, < 3.1.0
>= 3.2.0, < 3.2.7
>= 4.0.0, < 4.3.1

Patched versions

2.6.9
3.1.0
3.2.7
4.3.1

Description

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

References

Published to the GitHub Advisory Database Aug 9, 2018
Reviewed Jun 16, 2020
Last updated Mar 25, 2024

Severity

Low
3.7
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Weaknesses

CVE ID

CVE-2017-16137

GHSA ID

GHSA-gxpj-cx7g-858c

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.