Regular Expression Denial of Service (ReDoS) Affecting millisecond package, versions <0.1.2
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Regular Expression Denial of Service (ReDoS) vulnerabilities in an interactive lesson.
Start learning- Snyk IDnpm:millisecond:20151120
- published25 Nov 2015
- disclosed20 Nov 2015
- creditLuigi Pinca
Introduced: 20 Nov 2015
CVE-2015-8315 (opens in a new tab)How to fix?
Upgrade to version 0.1.2.
Overview
Regular expression Denial of Service (ReDoS) vulnerability exists in milliseconds module, affecting version 0.1.1 and below.
milliseconds, the milliseconds conversion utility is used to convert times to milliseconds.
The regular expression used by the function to parse the time is vulnerable to denial of service attack, where extremely long strings that are passed to milliseconds() can take long time to process and as a result block the event loop for that period.
Details
"The Regular expression Denial of Service (ReDoS) is a Denial of Service attack, that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression to enter these extreme situations and then hang for a very long time." [1]