Regular Expression Denial of Service

Module: debug

Published: September 27th, 2017

Reported by: Cristian-Alexandru Staicu

CVE-NONE

Vulnerable: <= 2.6.8 || >= 3.0.0 <= 3.0.1
Patched: >= 2.6.9 < 3.0.0 || >= 3.1.0

Overview

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Remediation

Upgrade to version 2.6.9 or greater if you are on the 2.6.x series or 3.1.0 or greater.

References

Sign up FREE for
nsp Continuous Security

Free for open source and the first private repo,
then just $1/mo per private repo