Regular Expression Denial of Service (ReDoS)

[larrycameron80]

Regular Expression Denial of Service (ReDoS)
Vulnerable module: debug
Introduced through: body-parser@1.16.1, express@4.14.1 and others
Detailed paths
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › body-parser@1.16.1 › debug@2.6.1
Remediation: Upgrade to body-parser@1.18.2.
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › express@4.14.1 › debug@2.2.0
Remediation: Upgrade to express@4.15.5.
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › morgan@1.7.0 › debug@2.2.0
Remediation: Upgrade to morgan@1.9.0.
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › express@4.14.1 › finalhandler@0.5.1 › debug@2.2.0
Remediation: Upgrade to express@4.15.0.
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › express@4.14.1 › send@0.14.2 › debug@2.2.0
Remediation: Upgrade to express@4.15.5.
Introduced through: etherchain-light@gobitfly/etherchain-light#0163743bbd61c33ad71cb238ca4ea900fa922710 › express@4.14.1 › serve-static@1.11.2 › send@0.14.2 › debug@2.2.0
Remediation: Upgrade to express@4.15.5.
Overview
debug is a JavaScript debugging utility modelled after Node.js core's debugging technique..

debug uses printf-style formatting. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks via the the %o formatter (Pretty-print an Object all on a single line). It used a regular expression (/\s*\n\s*/g) in order to strip whitespaces and replace newlines with spaces, in order to join the data into a single line. This can cause a very low impact of about 2 seconds matching time for data 50k characters long.