-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Legitimate redos test case? #45
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If I am not mistaken, this CVE can only be triggered in one of these fairly absurd cases where you're already under attack with nothing less than arbitrary code execution.
Are there any legitimate test cases (making this a legitimate vulnerability) for this CVE, or did this just get fixed for the sake of responding to the CVE in a timely manner? This is a significant issue in the NPM ecosystem and I'd like to understand if this purely a problem of the CVE classification system or if there are other elements at work here.
Yes, it could be improved but a CVE at all let alone a HIGH SEVERITY CVE is masking more important work out there in the high severity range with legitimate reproduction steps.
GHSA-4q6p-r6v2-jvc5
I don't see how this is a network / remotely triggerable vulnerability that warrants a high CVE score like this.
The text was updated successfully, but these errors were encountered: