CVE-2017-16117 — Regular Expression Denial of Service in slug

Description

Affected versions of `slug` are vulnerable to a regular expression denial of service when parsing untrusted user input. The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds, About 50k characters can block the event loop for 2 seconds. ## Recommendation Update to version 0.9.2 or later.

How to fix CVE-2017-16117

To remediate CVE-2017-16117, upgrade the affected package to a fixed version below.

npm/slug—upgrade to 0.9.2 or later

Is CVE-2017-16117 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.9.2

References (4)

ADVISORYgithub.com/advisories/GHSA-jxqq-cqm6-pfq9
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16117
WEBgithub.com/dodo/node-slug/issues/82
WEBwww.npmjs.com/advisories/537