1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
| {
"ok": false,
"issues": {
"vulnerabilities": [
{
"id": "npm:ms:20170412",
"url": "https://snyk.io/vuln/npm:ms:20170412",
"title": "Regular Expression Denial of Service (ReDoS)",
"type": "vuln",
"description": "## Overview\n[`ms`](https://www.npmjs.com/package/ms) is a tiny millisecond conversion utility.\n\nAffected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an incomplete fix for previously reported vulnerability [npm:ms:20151024](https://snyk.io/vuln/npm:ms:20151024). The fix limited the length of accepted input string to 10,000 characters, and turned to be insufficient making it possible to block the event loop for 0.3 seconds (on a typical laptop) with a specially crafted string passed to `ms()` function.\n\n*Proof of concept*\n```js\nms = require('ms');\nms('1'.repeat(9998) + 'Q') // Takes about ~0.3s\n```\n\n**Note:** Snyk's patch for this vulnerability limits input length to 100 characters. This new limit was deemed to be a breaking change by the author.\nBased on user feedback, we believe the risk of breakage is _very_ low, while the value to your security is much greater, and therefore opted to still capture this change in a patch for earlier versions as well. Whenever patching security issues, we always suggest to run tests on your code to validate that nothing has been broken.\n\nFor more information on `Regular Expression Denial of Service (ReDoS)` attacks, go to our [blog](https://snyk.io/blog/redos-and-catastrophic-backtracking/).\n\n## Disclosure Timeline\n- Feb 9th, 2017 - Reported the issue to package owner.\n- Feb 11th, 2017 - Issue acknowledged by package owner.\n- April 12th, 2017 - Fix PR opened by Snyk Security Team.\n- May 15th, 2017 - Vulnerability published.\n- May 16th, 2017 - Issue fixed and version `2.0.0` released.\n- May 21th, 2017 - Patches released for versions `>=0.7.1, <=1.0.0`.\n\n## Remediation\nUpgrade `ms` to version 2.0.0 or higher.\n\n## References\n- [GitHub PR](https://github.com/zeit/ms/pull/89)\n- [GitHub Commit](https://github.com/zeit/ms/pull/89/commits/305f2ddcd4eff7cc7c518aca6bb2b2d2daad8fef)\n",
"from": [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
],
"package": "ms",
"version": "0.7.1",
"severity": "low",
"language": "js",
"packageManager": "npm",
"semver": {
"unaffected": ">=2.0.0",
"vulnerable": "<2.0.0"
},
"publicationTime": "2017-05-15T06:02:45.497Z",
"disclosureTime": "2017-04-11T21:00:00.000Z",
"isUpgradable": true,
"isPatchable": true,
"identifiers": {
"CVE": [],
"CWE": [
"CWE-400"
],
"ALTERNATIVE": [
"SNYK-JS-MS-10509"
]
},
"credit": [
"Snyk Security Research Team"
],
"CVSSv3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"cvssScore": 3.7,
"patches": [
{
"id": "patch:npm:ms:20170412:0",
"urls": [
"https://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/develop/patches/npm/ms/20170412/ms_100.patch"
],
"version": "=1.0.0",
"comments": [],
"modificationTime": "2017-05-16T10:12:18.990Z"
},
{
"id": "patch:npm:ms:20170412:1",
"urls": [
"https://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/develop/patches/npm/ms/20170412/ms_072-073.patch"
],
"version": "=0.7.2 || =0.7.3",
"comments": [],
"modificationTime": "2017-05-16T10:12:18.990Z"
},
{
"id": "patch:npm:ms:20170412:2",
"urls": [
"https://s3.amazonaws.com/snyk-rules-pre-repository/snapshots/develop/patches/npm/ms/20170412/ms_071.patch"
],
"version": "=0.7.1",
"comments": [],
"modificationTime": "2017-05-16T10:12:18.990Z"
}
],
"isIgnored": true,
"isPatched": false,
"upgradePath": [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
]
}
],
"licenses": []
},
"dependencyCount": 250,
"packageManager": "npm"
}
|