|2 via 2 paths|
Find, fix and prevent vulnerabilities in your code.
- Vulnerable module: helmet-csp
- Introduced through: email@example.com
Introduced through: firstname.lastname@example.org › email@example.com › firstname.lastname@example.orgRemediation: Upgrade to email@example.com.
helmet-csp is a Content Security Policy that helps prevent unwanted content being injected into your webpages.
Affected versions of this package are vulnerable to Configuration Override affecting the application's Content Security Policy (CSP). It's browser sniffing for Firefox deletes the
default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP.
helmet-csp to version 2.9.2 or higher.
- Vulnerable module: redis
- Introduced through: firstname.lastname@example.org
Introduced through: email@example.com › firstname.lastname@example.org › email@example.comRemediation: Upgrade to firstname.lastname@example.org.
redis is an A high performance Redis client.
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). When a client is in monitoring mode,
monitor_regex, which is used to detected monitor messages` could cause exponential backtracking on some strings, leading to denial of service.
Let’s take the following regular expression as an example:
regex = /A(B|C+)+D/
This regular expression accomplishes the following:
AThe string must start with the letter 'A'
(B|C+)+The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the
+matches one or more times). The
+at the end of this section states that we can look for one or more matches of this section.
DFinally, we ensure this section of the string ends with a 'D'
The expression would match inputs such as
It most cases, it doesn't take very long for a regex engine to find a match:
From there, the number of steps the engine must use to validate a string just continues to grow.
|String||Number of C's||Number of steps|
redis to version 3.1.1 or higher.