CVE-2022-35923

Description

### Impact Inefficient regular expression complexity of `lowercase()` and `uppercase()` regex could lead to a denial of service attack. With a formed payload `'a' + 'a'.repeat(i) + 'A'`, only 32 characters payload could take 29443 ms time execution when testing `lowercase()`. The same issue happens with `uppercase()`. ### Patches v1.5.1 ### References [huntr.dev report](https://huntr.dev/bounties/2d92f644-593b-43b4-bfd1-c8042ac60609) [_Regular Expression Denial of Service (ReDoS) and Catastrophic Backtracking_](https://snyk.io/blog/redos-and-catastrophic-backtracking/) ### For more information If you have any questions or comments about this advisory: * Open an issue in [v8n issues list](https://github.com/imbrn/v8n) * Email us at [[email protected]](mailto:[email protected])

How to fix CVE-2022-35923

To remediate CVE-2022-35923, upgrade the affected package to a fixed version below.

• —upgrade to 1.5.1 or later

Is CVE-2022-35923 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.5.1

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-35923
• PATCHgithub.com/imbrn/v8n
• WEBgithub.com/imbrn/v8n/commit/92393862156fad190c05ec3f6e2bc73308dcd2f9
• WEBgithub.com/imbrn/v8n/security/advisories/GHSA-xrx9-gj26-5wx9