CVE-2022-1929 – devcert

Package

Manager: npm
Name: devcert
Vulnerable Version: >=0 <1.2.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00201 pctl0.42394

Details

Regular expression denial of service in devcert An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method

Metadata

Created: 2022-06-03T00:01:01Z
Modified: 2022-06-14T20:02:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-fp36-299x-pwmw/GHSA-fp36-299x-pwmw.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-fp36-299x-pwmw
Finding: F211
Auto approve: 1