Security Vulnerabilities - CVEs Published In June 2018
The parsejson module is vulnerable to regular expression denial of service when untrusted user input is passed into it to be parsed.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07
The marked module is vulnerable to a regular expression denial of service. Based on the information published in the public issue, 1k characters can block for around 6 seconds.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07
The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-06-07
slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
CVSS Score
7.5
EPSS Score
0.004
Published
2018-06-07
The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
CVSS Score
7.5
EPSS Score
0.006
Published
2018-06-07
Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07
crossenv was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07
http-proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07
proxy.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm.
CVSS Score
7.5
EPSS Score
0.003
Published
2018-06-07