Regular Expression Denial of Service (ReDoS)

Affecting decamelize package, versions >=1.1.0 <1.1.2

high severity

Overview

decamelize converts a camelized string into a lowercased one with a custom separator.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The seperators are not escaped and may allow an attacker to send seperators like |, which will cause the regex parser to hang for long periods of time.

Remediation

Update decamelize to version 1.1.2 or higher.

References

Credit
Jay Freeman
CWE
CWE-400
Snyk ID
npm:decamelize:20151223
Disclosed
23 Dec, 2015
Published
16 Apr, 2017

Do your applications use this vulnerable package?