Skip to content

Regular Expression Denial of Service in slug

Moderate severity GitHub Reviewed Published Jul 24, 2018 to the GitHub Advisory Database • Updated Jan 12, 2023

Package

npm slug (npm)

Affected versions

<= 0.9.1

Patched versions

0.9.2

Description

Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.

The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,

About 50k characters can block the event loop for 2 seconds.

Recommendation

Update to version 0.9.2 or later.

References

Published to the GitHub Advisory Database Jul 24, 2018
Reviewed Jun 16, 2020
Last updated Jan 12, 2023

Severity

Moderate

EPSS score

0.105%
(44th percentile)

Weaknesses

CVE ID

CVE-2017-16117

GHSA ID

GHSA-jxqq-cqm6-pfq9

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.