Regular Expression Denial of Service (ReDoS)

Affecting bson package, versions >=0.5.0 <1.0.5

Do your applications use this vulnerable package? Test your applications

Overview

bson is a BSON Parser for node and browser.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). This can cause an impact of about 10 seconds matching time for data 50K characters long.

Disclosure Timeline

  • Feb 15th, 2018 - Initial Disclosure to package owner
  • Feb 26th, 2018 - Initial Response from package owner
  • Feb 26th, 2018 - Fix issued
  • Feb 27th, 2018 - Vulnerability published

Remediation

Upgrade bson to version 1.0.5 or higher.

References

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
Credit
Jamie Davis
CVE
CVE-2018-13863
CWE
CWE-185 CWE-400
Snyk ID
npm:bson:20180225
Disclosed
27 Feb, 2018
Published
27 Feb, 2018