CVE-2020-36649
HIGH7.5EPSS 0.43%Regular Expression Denial of Service in papaparse
Published: 9/4/2020Modified: 6/16/2025
Description
Versions of `papaparse` prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The `parse` function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service. ## Recommendation Upgrade to version 5.2.0 or later.
Affected packages (2)
- Debian/mediawikifrom 0, < 1:1.35.11-1~deb11u1
- npm/papaparsefrom 0, < 5.2.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References (10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-36649
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-36649
- PATCHhttps://github.com/mholt/PapaParse
- WEBhttps://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621
- WEBhttps://github.com/mholt/PapaParse/issues/777
- WEBhttps://github.com/mholt/PapaParse/pull/779
- WEBhttps://github.com/mholt/PapaParse/releases/tag/5.2.0
- WEBhttps://snyk.io/vuln/SNYK-JS-PAPAPARSE-564258
- WEBhttps://vuldb.com/?ctiid.218004
- WEBhttps://vuldb.com/?id.218004