Overview
fast-csv and @fast-csv/parse before version 4.3.6 has a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.
Impact
You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6
Patches
This has been patched in v4.3.6
This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Remediation
Upgrade to version 4.3.6 or later.
Resources
- https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
- https://lgtm.com/query/8609731774537641779/
- https://github.com/C2FO/fast-csv/issues/540
- https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
- https://www.npmjs.com/package/@fast-csv/parse
- https://www.npmjs.com/package/fast-csv
Have content suggestions? Send them to [email protected]
Advisory timeline
published
Advisory PublishedDec 8th, 2020reported
Reported by AnonymousDec 8th, 2020
