Lucene search

[email protected]CVE-2023-30858

HistoryApr 28, 2023 - 9:15 p.m.

CVE-2023-30858

2023-04-2821:15:09

CWE-1333

[email protected]

web.nvd.nist.gov

cve-2023-30858

denosaurs

emoji package

regex inefficiency

security patch

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

47.2%

JSON

The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has been patched in 0.3.0. As a workaround, avoid using the replace, unemojify, or strip functions.

Affected configurations

Vulners

NVD

Node

denosaursemojiRange<0.3.0

VendorProductVersionCPE
denosaursemoji*cpe:2.3:a:denosaurs:emoji:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
denosaurs	emoji	*	cpe:2.3:a:denosaurs:emoji::::::::

CNA Affected

[
  {
    "vendor": "denosaurs",
    "product": "emoji",
    "versions": [
      {
        "version": "< 0.3.0",
        "status": "affected"
      }
    ]
  }
]

References

github.com/denosaurs/emoji/pull/11

github.com/denosaurs/emoji/security/advisories/GHSA-w2xx-hjhp-gx5v

huntr.dev/bounties/444f2255-5085-466f-ba0e-5549fa8846a3/

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

47.2%

JSON

Related for CVE-2023-30858

osv1 prion1 cvelist1 nvd1