Regular Expression Denial of Service (ReDoS)

[larrycameron80]

Regular Expression Denial of Service (ReDoS)
Vulnerable module: debug
Introduced through: [email protected], [email protected] and others
Detailed paths
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Overview
debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..

debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.