3.0.0-canary.1
9 years ago
3 years ago
Known vulnerabilities in the org.webjars.npm:ms package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an incomplete fix for previously reported vulnerability npm:ms:20151024. The fix limited the length of accepted input string to 10,000 characters, and turned to be insufficient making it possible to block the event loop for 0.3 seconds (on a typical laptop) with a specially crafted string passed to Proof of concept
Note: Snyk's patch for this vulnerability limits input length to 100 characters. This new limit was deemed to be a breaking change by the author. Based on user feedback, we believe the risk of breakage is very low, while the value to your security is much greater, and therefore opted to still capture this change in a patch for earlier versions as well. Whenever patching security issues, we always suggest to run tests on your code to validate that nothing has been broken. For more information on How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | [,2.0.0) |
org.webjars.npm:ms is a tiny milisecond conversion utility. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS)
attack when converting a time period string (i.e. How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | [,0.7.1) |