CVE-2014-8881
Regular Expression Denial of Service in bleach
Description
All versions of the `bleach` package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function. ## Recommendation The `bleach` package is not currently maintained, and has not seen an update since 2014. To mitigate this issue, it is necessary to use an alternative module that is actively maintained and provides similar functionality. There are [multiple modules fitting this criteria available on npm.](https://www.npmjs.com/search?q=html%20sanitizer&page=1&ranking=optimal).
How to fix CVE-2014-8881
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2014-8881 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2014-8881.
Affected packages (1)
- >= 0.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |