dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Regular Expression Denial of Service in string package #37

New Issue
Closed
opened 2023-11-01 04:46:28 +00:00 by argoyle · 0 comments
argoyle commented 2023-11-01 04:46:28 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for string in path: /, manifest_file: /package.json but was unable to update it! ⚠️

Package Severity Affected versions Patched versions IDs
string (NPM) HIGH <= 3.3.3 GHSA-g36h-6r4f-3mqp,CVE-2017-16116

Description

Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Recommendation

There is currently no direct patch for this vulnerability.

Currently, the best solution is to avoid passing user input to the underscore and unescapeHTML methods.

Alternatively, a user provided patch is available in Pull Request #217, however this patch has not been tested, nor has it been merged by the package author.

References

⚠️ `dependabot-gitlab` has detected security vulnerability for `string` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-g36h-6r4f-3mqp | Package | Severity | Affected versions | Patched versions | IDs | |--------------|----------|-------------------|------------------|----------------------------------------| | string (NPM) | HIGH | <= 3.3.3 | | `GHSA-g36h-6r4f-3mqp`,`CVE-2017-16116` | # Description Affected versions of `string` are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the `underscore` or `unescapeHTML` methods. ## Recommendation There is currently no direct patch for this vulnerability. Currently, the best solution is to avoid passing user input to the `underscore` and `unescapeHTML` methods. Alternatively, a user provided patch is available in [Pull Request #217]( https://github.com/jprichardson/string.js/pull/217/commits/eab9511e4efbc8c521e18b6cf2e8565ae50c5a16), however this patch has not been tested, nor has it been merged by the package author. # References * https://nvd.nist.gov/vuln/detail/CVE-2017-16116 * https://github.com/jprichardson/string.js/issues/212 * https://github.com/advisories/GHSA-g36h-6r4f-3mqp * https://www.npmjs.com/advisories/536
argoyle (Migrated from gitlab.com) closed this issue 2024-02-06 06:53:18 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label security severity:high
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#37
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?