CVE-2020-26309
nope-validator Regular Expression Denial of Service vulnerability
EPSS 0.21%
Description
Nope is a JavaScript validator. Versions 0.11.3 and prior contain one or more regular expressions that are vulnerable to Regular Expression Denial of Service (ReDoS). This vulnerability is fixed in 0.12.1.
How to fix CVE-2020-26309
To remediate CVE-2020-26309, upgrade the affected package to a fixed version below.
- npm/nope-validator—upgrade to 0.12.1 or later
Is CVE-2020-26309 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 0.12.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green |
References (6)
- ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-26309
- ADVISORYsecuritylab.github.com/advisories/GHSL-2020-303-redos-nope-validator
- PATCHgithub.com/ftonato/nope-validator
- WEBgithub.com/ftonato/nope-validator/commit/4564b7444dcd92769e5c5b80420469c9f18b7a05#diff-9c399c46fa266bcf2be2704fbb369181726959e148e95ab548a32ef9ca9e7d47R1