Regular Expression Denial of Service (DoS)

Affecting millisecond package, versions <0.1.2

Do your applications use this vulnerable package? Test your applications

Overview

Regular expression Denial of Service (ReDoS) vulnerability exists in milliseconds module, affecting version 0.1.1 and below.

milliseconds, the milliseconds conversion utility is used to convert times to milliseconds. The regular expression used by the function to parse the time is vulnerable to denial of service attack, where extremely long strings that are passed to milliseconds() can take long time to process and as a result block the event loop for that period.

Details

"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." [1]

Remediation

Upgrade to version 0.1.2.

References

Snyk patch available for versions:

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    None
  • Availability
    Low
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Credit
Luigi Pinca
CVE
CVE-2015-8315
CWE
CWE-400
Snyk ID
npm:millisecond:20151120
Disclosed
20 Nov, 2015
Published
25 Nov, 2015