CVE-2023-30858

Denosaurs emoji has ReDoS vulnerability in `replace` function

CVSS 5.3 MEDIUMEPSS 1.2%CWE-1333

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.3EPSS 1.2%KEV nãoPoC —Patch —

Ciclo de vida

28 abr 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

The Denosaurs emoji package provides emojis for dinosaurs. Starting in version 0.1.0 and prior to version 0.3.0, the reTrimSpace regex has 2nd degree polynomial inefficiency, leading to a delayed response given a big payload. The issue has been patched in 0.3.0. As a workaround, avoid using the `replace`, `unemojify`, or `strip` functions.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Produtos afetados

denosaurs · emoji

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/denosaurs/emoji/pull/11 https://github.com/denosaurs/emoji/security/advisories/GHSA-w2xx-hjhp-gx5v https://huntr.dev/bounties/444f2255-5085-466f-ba0e-5549fa8846a3/