Pull Requests Welcome: We need your help to fix some ReDoS vulnerabilities

Adam Baldwin
Node Security
Published in
1 min readSep 21, 2017

Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers are welcoming pull requests. I’m writing to ask the community for some help. If you have the time available or your company supports contributions to open source please consider helping fix these issues.

Below you will find a list of these currently public and unfixed vulnerabilities, sorted by npm monthly download count. While some of these issues may be unlikely to face actual exploitation given the typical use case of the affected libraries; code and its usage tends to change over time, so it can’t hurt to mitigate these issues before they have the chance to cause problems.

https://github.com/visionmedia/debug/issues/501
https://github.com/lodash/lodash/issues/3359
https://github.com/broofa/node-mime/issues/167
https://github.com/epoberezkin/ajv/issues/557
https://github.com/salesforce/tough-cookie/issues/92
https://github.com/moment/moment/issues/4163
https://github.com/epeli/underscore.string/issues/510
https://github.com/get/parsejson/issues/4
https://github.com/chjj/marked/issues/937
https://github.com/jsdom/content-type-parser/issues/3
https://github.com/bestiejs/platform.js/issues/139
https://github.com/indexzero/TimeSpan.js/issues/10
https://github.com/jprichardson/string.js/issues/212
https://github.com/hapijs/content/issues/14
https://github.com/dodo/node-slug/issues/82
https://github.com/tautologistics/node-htmlparser/issues/79
https://github.com/hgoebl/mobile-detect.js/issues/67
https://github.com/kaimallea/isMobile/issues/66
https://github.com/skoranga/node-dns-sync/issues/5

Here are a few other ReDoS issues that have been fixed recently to give you some inspiration for patches.

https://github.com/blakeembrey/no-case/issues/17
https://github.com/node-modules/charset/issues/10
https://github.com/hapijs/content/commit/3a8a6cbaf111955ec514019c2122cb278cc36a23

❤’s from the Node Security Team

--

--

Adam Baldwin
Node Security

VP of Security at npm. Previously founded @liftsecurity, Founder @nodesecurity acquired by npm, inc