CVE-2017-16113 — Regular Expression Denial of Service in parsejson

描述

Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. ## Recommendation The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons.

如何修補 CVE-2017-16113

目前尚未發布修補版本。可考慮移除受影響套件,或參考下方連結中的上游建議。

npm/parsejson—未列出修補版本

CVE-2017-16113 正在被利用嗎?

低 — EPSS 為 0.3%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, <= 0.0.3

參考連結(4)

ADVISORYgithub.com/advisories/GHSA-q75g-2496-mxpp
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16113
WEBgithub.com/get/parsejson/issues/4
WEBwww.npmjs.com/advisories/528