Regular Expression Denial Of Service (ReDoS)

Affecting uri-js package, versions <3.0.0

high severity

Overview

uri-js is an RFC 3986/3987 compliant, scheme extendable URI/IRI parsing/validating/resolving library for JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when validating URLs.

Remediation

Upgrade uri-js to version 3.0.0 or higher.

References

Credit
Peter Dotchev
CWE
CWE-400
Snyk ID
npm:uri-js:20160804
Disclosed
15 Mar, 2016
Published
16 Apr, 2017

Do your applications use this vulnerable package?