Vulnerability Details CVE-2017-16137
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.8%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/visionmedia/debug/issues/501
- https://github.com/visionmedia/debug/pull/504
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E
- https://nodesecurity.io/advisories/534
- https://github.com/visionmedia/debug/issues/501
- https://github.com/visionmedia/debug/pull/504
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E
- https://nodesecurity.io/advisories/534
Products affected by CVE-2017-16137
-
cpe:2.3:a:debug_project:debug:2.0.0
-
cpe:2.3:a:debug_project:debug:2.1.0
-
cpe:2.3:a:debug_project:debug:2.1.1
-
cpe:2.3:a:debug_project:debug:2.1.2
-
cpe:2.3:a:debug_project:debug:2.1.3
-
cpe:2.3:a:debug_project:debug:2.2.0
-
cpe:2.3:a:debug_project:debug:2.3.0
-
cpe:2.3:a:debug_project:debug:2.3.1
-
cpe:2.3:a:debug_project:debug:2.3.2
-
cpe:2.3:a:debug_project:debug:2.3.3
-
cpe:2.3:a:debug_project:debug:2.4.0
-
cpe:2.3:a:debug_project:debug:2.4.1
-
cpe:2.3:a:debug_project:debug:2.4.2
-
cpe:2.3:a:debug_project:debug:2.4.3
-
cpe:2.3:a:debug_project:debug:2.4.4
-
cpe:2.3:a:debug_project:debug:2.4.5
-
cpe:2.3:a:debug_project:debug:2.5.0
-
cpe:2.3:a:debug_project:debug:2.5.1
-
cpe:2.3:a:debug_project:debug:2.5.2
-
cpe:2.3:a:debug_project:debug:2.6.0
-
cpe:2.3:a:debug_project:debug:2.6.1
-
cpe:2.3:a:debug_project:debug:2.6.2
-
cpe:2.3:a:debug_project:debug:2.6.3
-
cpe:2.3:a:debug_project:debug:2.6.4
-
cpe:2.3:a:debug_project:debug:2.6.5
-
cpe:2.3:a:debug_project:debug:2.6.6
-
cpe:2.3:a:debug_project:debug:2.6.7
-
cpe:2.3:a:debug_project:debug:2.6.8
-
cpe:2.3:a:debug_project:debug:3.0.0
-
cpe:2.3:a:debug_project:debug:3.0.1