EIQ-2019-0010



ID

EIQ-2019-0010

CVE

-

Description

braces is vulnerable to regular expression denial of service

Date

08 Mar 2019

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.5.0

Assessment

braces Node.js module versions 2.3.0 and earlier are vulnerable to regular expression denial of service (ReDoS).
A regular expression (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) can be used to detect empty braces.
This can result in a denial of service (CPU consumption).

Mitigation

Update to braces version 2.3.1 or later.

Affected versions

2.2.1 to 2.4.0 included.

Notes

For more information, see:

< Back to all security issues and mitigation actions

In release notes 2.3.4

In release notes 2.5.0