Regular Expression Denial of Service (ReDoS)

Affecting debug package, versions <2.6.9 || >=3.0.0 <3.1.0

low severity


debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..

debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Many Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size), allowing an attacker to exploit this and can cause the program to enter these extreme situations by using a specially crafted input and cause the service to excessively consume CPU, resulting in a Denial of Service.

You can read more about Regular Expression Denial of Service (ReDoS) on our blog.


Upgrade debug to version 2.6.9, 3.1.0 or higher.


Snyk patch available for versions:

Do your applications use this vulnerable package?

Cristian-Alexandru Staicu
Snyk ID
05 Sep, 2017
26 Sep, 2017