Regular Expression Denial of Service in sshpk · CVE-2018-3737 · GitHub Advisory Database · GitHub

Regular Expression Denial of Service in sshpk

High severity GitHub Reviewed Published Aug 15, 2018 to the GitHub Advisory Database • Updated Jan 31, 2023

Package

sshpk (npm)

Affected versions

< 1.13.2

Patched versions

1.13.2

Description

Versions of sshpk before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Recommendation

Update to version 1.13.2, 1.14.1 or later.

References

Published by the National Vulnerability Database

Jun 7, 2018

Published to the GitHub Advisory Database Aug 15, 2018

Reviewed Jun 16, 2020

Last updated Jan 31, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H