CVE-2022-1929: Regular expression denial of service in devcert

June 2, 2022 (updated July 24, 2023)

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the devcert npm package, when an attacker is able to supply arbitrary input to the certificateFor method

References

github.com/advisories/GHSA-fp36-299x-pwmw
github.com/davewasmer/devcert/commit/b0763215f6683271d296fda98f7ef7bcd4a55977
nvd.nist.gov/vuln/detail/CVE-2022-1929
research.jfrog.com/vulnerabilities/devcert-redos-xray-211352/

Detect and mitigate CVE-2022-1929 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →