CVE-2017-16116

Published: Jun 7, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.

Affected (2)

Products: String Project: String

String Project

1 product

String

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
String Project String	Up to 0.2.1
String Project String	From 0.2.2 to 3.3.3

Related CWEs

CWE-400

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (4)

https://github.com/jprichardson/string.js/issues/212

Source: support@hackerone.com

ExploitThird Party Advisory

https://nodesecurity.io/advisories/536

Source: support@hackerone.com

PatchThird Party Advisory

https://github.com/jprichardson/string.js/issues/212

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://nodesecurity.io/advisories/536

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.