Nevertheless! Party Metaphorically
    Severity: moderate

    Regular Expression Denial of Service



    Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

    The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs.


    Upgrade to version 3.3.5 or higher.

    Have content suggestions? Visit

    Advisory timeline

    1. published

      Advisory Published
      Dec 11th, 2018