CVE-2017-16021
N/A
N/A
Summary
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to require("uri-js").parse() where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| HackerOne | uri-js node module | <=2.1.1 | affected |
Weaknesses
- CWE-400: Denial of Service (CWE-400)
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.