CVE-2014-8881 – bleach

Package

Manager: npm
Name: bleach
Vulnerable Version: >=0.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Regular Expression Denial of Service in bleach All versions of the `bleach` package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function. ## Recommendation The `bleach` package is not currently maintained, and has not seen an update since 2014. To mitigate this issue, it is necessary to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=html%20sanitizer&page=1&ranking=optimal).

Metadata

Created: 2020-09-01T15:16:43Z
Modified: 2021-09-23T21:06:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-mvmf-cvfx-qg55/GHSA-mvmf-cvfx-qg55.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-mvmf-cvfx-qg55
Finding: F002
Auto approve: 1