Regular Expression Denial of Service (ReDoS)

Affecting decamelize package, versions >=1.1.0 <1.1.2

high severity

Overview

decamelize converts a camelized string into a lowercased one with a custom separator.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). The seperators are not escaped and may allow an attacker to send seperators like |, which will cause the regex parser to hang for long periods of time.

Remediation

Update decamelize to version 1.1.2 or higher.

References

Do your applications use this vulnerable package?

Credit
Jay Freeman
CWE
CWE-400
Snyk ID
npm:decamelize:20151223
Disclosed
23 Dec, 2015
Published
16 Apr, 2017