#VU55315 Incorrect Regular Expression in path-parse


Published: 2021-07-26 | Updated: 2021-08-10

Vulnerability identifier: #VU55315

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23343

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
path-parse
Web applications / JS libraries

Vendor: Javier Blanco Gutiérrez

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation in splitDeviceRe, splitTailRe, and splitPathRe regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

path-parse: 1.0.0 - 1.0.6

CPE

External links
http://github.com/jbgutierrez/path-parse/issues/8
http://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028
http://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E
http://github.com/advisories/GHSA-hj48-42vr-x3v9
http://www.npmjs.com/advisories/1773

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Planning Analytics Workspace
Multiple vulnerabilities in IBM QRadar Data Synchronization App
SUSE update for nodejs14
SUSE update for nodejs8
SUSE update for nodejs12
SUSE update for nodejs10
SUSE update for nodejs14
SUSE update for nodejs8
SUSE update for nodejs12
Red Hat Software Collections update for rh-nodejs12-nodejs and rh-nodejs12-nodejs-nodemon