Severity: high

Regular Expression Denial of Service



Affected versions of string are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.


There is currently no direct patch for this vulnerability.

Currently, the best solution is to avoid passing user input to the underscore and unescapeHTML methods.

Alternatively, a user provided patch is available in Pull Request #217, however this patch has not been tested, nor has it been merged by the package author.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. reported

    Initial report by Cristian-Alexandru Staicu
    Sep 25th, 2017
  2. published

    Advisory published
    Sep 25th, 2017