Skip to content

Patch for RegEx DoS exploit#2

Open
shirakaba wants to merge 1 commit into
jhs:masterfrom
shirakaba:shirakaba-security-redos
Open

Patch for RegEx DoS exploit#2
shirakaba wants to merge 1 commit into
jhs:masterfrom
shirakaba:shirakaba-security-redos

Conversation

@shirakaba
Copy link
Copy Markdown

@shirakaba shirakaba commented Jul 16, 2018

From https://nodesecurity.io/advisories/534 :

OVERVIEW

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

REMEDIATION

Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.

@shirakaba
Patch for RegEx DoS exploit
afaddb9 
From https://nodesecurity.io/advisories/534 :

OVERVIEW

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.


REMEDIATION

Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@shirakaba