Pull Requests Welcome: We need your help to fix some ReDoS vulnerabilities

Published in

Node Security

1 min readSep 21, 2017

Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers are welcoming pull requests. I’m writing to ask the community for some help. If you have the time available or your company supports contributions to open source please consider helping fix these issues.

Below you will find a list of these currently public and unfixed vulnerabilities, sorted by npm monthly download count. While some of these issues may be unlikely to face actual exploitation given the typical use case of the affected libraries; code and its usage tends to change over time, so it can’t hurt to mitigate these issues before they have the chance to cause problems.

Here are a few other ReDoS issues that have been fixed recently to give you some inspiration for patches.

https://github.com/blakeembrey/no-case/issues/17
https://github.com/node-modules/charset/issues/10
https://github.com/hapijs/content/commit/3a8a6cbaf111955ec514019c2122cb278cc36a23

❤’s from the Node Security Team

Pull Requests Welcome: We need your help to fix some ReDoS vulnerabilities

Written by Adam Baldwin