Severity: low

Regular Expression Denial of Service



Affected versions of timespan are vulnerable to a regular expression denial of service when parsing dates.

The amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.


No direct patch is available for this vulnerability.

Currently, the best available solution is to use a functionally equivalent alternative package.

It is also sufficient to ensure that user input is not being passed into timespan, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Sep 25th, 2017
  2. reported

    Initial report by Cristian-Alexandru Staicu
    Sep 21st, 2017