-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regex DoS (ReDos) Vulnerability [FIXED] #156
Comments
This still affects version 3.0.0 as well |
Any updates to this? |
I'm about to work on a fix for this, but in the mean time I'd like to list some of the mitigating factors involved so users can decide if they are affected by this or not. This only affects the If you're running this proxy in a publicly accessible manner then this vulnerability is probably the least of your concerns. |
In addition to being faster by not re-parsing the string, this also addresses #156 Signed-off-by: Ryan Graham <[email protected]>
v3.0.1 has been published with a fix. |
I'm at a loss as to how to update the vulnerability DBs 😞
It would also be nice to update the update the severity since "high" seems a little misleading considering you need to do something already considered dangerous (run a dev tool as a public open proxy) in order to even expose this. |
Do you just email [email protected] or [email protected] ? |
Snyk and HackerOne are not affiliated with npm/nsp so I'm not sure what they would be able to do about it. |
@fmagaldea that advisory is incorrect. |
@rmg How can we fix the |
Any updates to this ? I get the vulnerability is fixed but it's still showing the advisory |
I've sent an email to [email protected] to ask them to update the record. |
When you do get that record updated, would you bump the version to 3.0.2 to make sure our random internal processes see it as a new artifact? |
I just installed node-foreman and ran |
From Snyk
✗ High severity vulnerability found on [email protected]
The text was updated successfully, but these errors were encountered: