Regular Expression Denial of Service

Module: is-my-json-valid

Published: January 18th, 2016

Reported by: Adam Baldwin

CVE-2016-2537

CWE-400

Vulnerable: <=2.12.3
Patched: >=2.12.4

Overview

Versions of is-my-json-valid prior to 2.12.4 are affected by a regular expression denial of service vulnerability when user input is allowed into a utc-millisec validator.

Remediation

Update to version 2.12.4 or later.