CVE-2022-36034 – nitrado.js

Package

Manager: npm
Name: nitrado.js
Vulnerable Version: >=0 <0.2.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00317 pctl0.54212

Details

Polynomial regular expression used on uncontrolled data in nitrado.js ### Impact Possible ReDoS with lib input of `{{` and with many repetitions of `{{|` ### Patches Patched in all versions above `0.2.5` ### Workarounds No known work arounds. ### References - OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) - Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS). - Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity). - James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf). - Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html). - Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).

Metadata

Created: 2022-08-31T22:23:39Z
Modified: 2022-09-08T14:11:35Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-vqc4-v8hc-h2jg/GHSA-vqc4-v8hc-h2jg.json
CWE IDs: ["CWE-1333"]
Alternative ID: GHSA-vqc4-v8hc-h2jg
Finding: F211
Auto approve: 1