Headline

CVE-2023-25166: Regular Expression Denial of Service (ReDoS) Vulnerability

formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula’s parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.

2 years ago

CVE

Open in Source

#vulnerability #dos #nodejs #git

- Actions
  
  Automate any workflow
- Packages
  
  Host and manage packages
- Security
  
  Find and fix vulnerabilities
- Codespaces
  
  Instant dev environments
- Copilot
  
  Write better code with AI
- Code review
  
  Manage code changes
- Issues
  
  Plan and track work
- Discussions
  
  Collaborate outside of code

*   Explore
*   All features
*   Documentation
*   GitHub Skills
*   Blog

- For
- Enterprise
- Teams
- Startups
- Education
- By Solution
- CI/CD & Automation
- DevOps
- DevSecOps
- Case Studies
- Customer Stories
- Resources
- GitHub Sponsors
  
  Fund open source developers

*   The ReadME Project
    
    GitHub community articles
    

*   Repositories
*   Topics
*   Trending
*   Collections

Pricing
Notifications
Fork 8
Code
Issues
Pull requests
Actions
Projects
Security
Insights

Moderate

Marsup published GHSA-c2jc-4fpr-4vhg

Feb 8, 2023

Package

npm @sideway/formula (npm)

Affected versions

< 3.0.1

Description

Impact

User-provided strings to formula’s parser might lead to polynomial execution time.

Patches

Users should upgrade to 3.0.1+.

Workarounds

None.

Severity

CVSS base metrics

User interaction

Required

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Weaknesses

### Impact User-provided strings to formula's parser might lead to polynomial execution time. ### Patches Users should upgrade to 3.0.1+. ### Workarounds None.

2 years ago

ghsa

Open in Source

#vulnerability #dos #nodejs #js #git