Regular Expression Denial of Service

Module: debug

Published: September 27th, 2017

Reported by: Cristian-Alexandru Staicu



Vulnerable: <= 2.6.8 || >= 3.0.0 <= 3.0.1
Patched: >= 2.6.9 < 3.0.0 || >= 3.1.0


The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.


Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.


Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo