Resource exhaustion in Node.js - CVE-2018-7158
Published: May 10, 2018
Vulnerability identifier: #VU12573
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-7158
CWE-ID: CWE-400
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Node.js Foundation
Affected software:
Node.js
Node.js
Detailed vulnerability description
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in the splitPathRe regular expression used in the core Node.js path module for POSIX path parsing functions due to resource exhaustion. A remote attacker can cause the service to crash by taking a non-trivial amount of time to parse the value against the RegEx.
The weakness exists in the splitPathRe regular expression used in the core Node.js path module for POSIX path parsing functions due to resource exhaustion. A remote attacker can cause the service to crash by taking a non-trivial amount of time to parse the value against the RegEx.
How to mitigate CVE-2018-7158
Update to version 4.9.0.