CVE-2022-36034

Description

### Impact Possible ReDoS with lib input of `{{` and with many repetitions of `{{|` ### Patches Patched in all versions above `0.2.5` ### Workarounds No known work arounds. ### References - OWASP: [Regular expression Denial of Service - ReDoS](https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS) - Wikipedia: [ReDoS](https://en.wikipedia.org/wiki/ReDoS). - Wikipedia: [Time complexity](https://en.wikipedia.org/wiki/Time_complexity). - James Kirrage, Asiri Rathnayake, Hayo Thielecke: [Static Analysis for Regular Expression Denial-of-Service Attack](http://www.cs.bham.ac.uk/~hxt/research/reg-exp-sec.pdf). - Common Weakness Enumeration: [CWE-1333](https://cwe.mitre.org/data/definitions/1333.html). - Common Weakness Enumeration: [CWE-400](https://cwe.mitre.org/data/definitions/400.html).

How to fix CVE-2022-36034

To remediate CVE-2022-36034, upgrade the affected package to a fixed version below.

• —upgrade to 0.2.5 or later

Is CVE-2022-36034 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.2.5

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-36034
• PATCHgithub.com/cainthebest/nitrado.js
• WEBgithub.com/cainthebest/nitrado.js/blob/v0.2.5/CHANGELOG.md
• WEBgithub.com/cainthebest/nitrado.js/security/advisories/GHSA-vqc4-v8hc-h2jg