CVE-2017-16113 — Regular Expression Denial of Service in parsejson

Description

Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. ## Recommendation The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons.

How to fix CVE-2017-16113

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2017-16113 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 0.0.3

References (4)

ADVISORYgithub.com/advisories/GHSA-q75g-2496-mxpp
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16113
WEBgithub.com/get/parsejson/issues/4
WEBwww.npmjs.com/advisories/528