Nevertheless! Party Metaphorically
    Severity: moderate

    Regular Expression Denial of Service

    underscore.string

    Overview

    Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

    The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.

    Remediation

    Upgrade to version 3.3.5 or higher.

    Have content suggestions? Visit npmjs.com/support.

    Advisory timeline

    1. published

      Advisory Published
      Dec 11th, 2018