Skip to content

Vulnerability: debug package #116

New issue
New issue
Open
Open
Vulnerability: debug package#116
Labels
priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.
@jnalbert

Description

@jnalbert
jnalbert
opened on Nov 16, 2023

Hi ! There a vulnerability identified by GitHub on debug package.

In fact, there are a ReDoS vulnerability on < 4.3.1 versions.

Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

You have more infos here : GHSA-gxpj-cx7g-858c

Do you think that you can update your package.json file in consequence ?

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: p2Moderately-important priority. Fix may not be included in next release.type: bugError or flaw in code with unintended results or allowing sub-optimal usage patterns.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions