Adam Baldwin
Sep 21, 2017 · 1 min read

Recently there were a large number of regular expression denial of service ( ReDoS ) vulnerabilities released to the public via GitHub issues. These issues don’t have patches but many of the maintainers are welcoming pull requests. I’m writing to ask the community for some help. If you have the time available or your company supports contributions to open source please consider helping fix these issues.

Below you will find a list of these currently public and unfixed vulnerabilities, sorted by npm monthly download count. While some of these issues may be unlikely to face actual exploitation given the typical use case of the affected libraries; code and its usage tends to change over time, so it can’t hurt to mitigate these issues before they have the chance to cause problems.

https://github.com/visionmedia/debug/issues/501
https://github.com/lodash/lodash/issues/3359
https://github.com/broofa/node-mime/issues/167
https://github.com/epoberezkin/ajv/issues/557
https://github.com/salesforce/tough-cookie/issues/92
https://github.com/moment/moment/issues/4163
https://github.com/epeli/underscore.string/issues/510
https://github.com/get/parsejson/issues/4
https://github.com/chjj/marked/issues/937
https://github.com/jsdom/content-type-parser/issues/3
https://github.com/bestiejs/platform.js/issues/139
https://github.com/indexzero/TimeSpan.js/issues/10
https://github.com/jprichardson/string.js/issues/212
https://github.com/hapijs/content/issues/14
https://github.com/dodo/node-slug/issues/82
https://github.com/tautologistics/node-htmlparser/issues/79
https://github.com/hgoebl/mobile-detect.js/issues/67
https://github.com/kaimallea/isMobile/issues/66
https://github.com/skoranga/node-dns-sync/issues/5


Here are a few other ReDoS issues that have been fixed recently to give you some inspiration for patches.

https://github.com/blakeembrey/no-case/issues/17
https://github.com/node-modules/charset/issues/10
https://github.com/hapijs/content/commit/3a8a6cbaf111955ec514019c2122cb278cc36a23

❤’s from the Node Security Team

Node Security

Node Security is now at npm, Inc. helping to build a range of security products.

Adam Baldwin

Written by

Team Lead @liftsecurity, Yeti @andyet, Founder @nodesecurity

Node Security

Node Security is now at npm, Inc. helping to build a range of security products.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade