ReDos Vulnerability Regression Visibility Notice #797
Assignees
Labels
discussion
This issue is requesting comments and discussion
Comments
|
Welp, that went much better than expected. Please open a new issue for anything related to this patch. Going to close and lock now. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hello. You're probably here from the deprecation notice.
tl;dr This is a low-severity regression that was fixed but later re-introduced a while back. You are only affected if you pass un-sanitized, long user input to
debug(ns)(...)- specifically, by way of the%oformatter - in Node.js. All other cases are unaffected.Affected version selector:
debug@>=3.2.0 <3.2.7 || >=4 <4.3.1If you're still pulling old versions of the package, please nuke your node_modules/npm cache. If you're still pulling old versions of the package, bring it up with npm - I've confirmed everything is released and tagged correctly.
If the latest versions have introduced a bug for you (they shouldn't), and you've confirmed you've not accidentally pulled a major version change based on your
package.jsonversion selector (e.g. don't be usingdebug@*as I won't support you), then please open a ticket on this repository.Any questions or comments about the vulnerability itself can be left in this issue. Spam comments will be deleted as I expect this issue to see a lot of traffic.
Several years ago we were alerted to a ReDos vulnerable regex expression that was fixed in f53962e but was accidentally re-introduced in 7116906. The original CVE was assigned identifier CVE-2017-16137. There will not be a formal update nor will there be a second CVE identifier assigned to the regression. Maintainers of advisory databases are free to update the recommended versions to
3.2.7or4.3.1and link to this issue as a regression advisory.The regression was responsibly disclosed to me by Yaniv Nizry from the CxSCA AppSec team at Checkmarx via email. A fix was issued appx. 1 week ago and the public disclosure was set to go out no sooner than 7 days after that.
NPM has been notified but has not yet responded.
I realize this is a low-severity issue that doesn't affect many people, but given that
debughas >86 million weekly downloads and used (publicly) by >9 million repositories, I wanted to treat this as equally as any other security vulnerability. Apologies if the response seems a bit overdone, but I have learned not to assume how people are using this package because people continually surprise me throughout the years.Thank you to Yaniv, and thank you, reader, for your patience.
- Josh
The text was updated successfully, but these errors were encountered: