GMS-2020-1: Regular Expression Denial of Service

March 2, 2020 (updated March 6, 2020)

A regex in the form of /[x-\ud800]/u causes the parser to enter an infinite loop. The string is not valid UTF16 which usually results in it being sanitized before reaching the parser.

References

github.com/acornjs/acorn/commit/793c0e569ed1158672e3a40aeed1d8518832b802
snyk.io/vuln/SNYK-JS-ACORN-559469
www.npmjs.com/advisories/1488

Detect and mitigate GMS-2020-1 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →