Severity: moderate

Regular Expression Denial of Service



Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.

The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,

About 50k characters can block the event loop for 2 seconds.


Update to version 0.9.2 or later.


Have content suggestions? Send them to [email protected]

Advisory timeline

  1. updated

    0.9.2 released with fix.
    Oct 25th, 2018
  2. reported

    Sep 25th, 2017
  3. published

    Advisory published
    Sep 25th, 2017