CVE-2020-36649: Regular Expression Denial of Service in papaparse
(updated )
Versions of papaparse
prior to 5.2.0 are vulnerable to Regular Expression Denial of Service (ReDos). The parse
function contains a malformed regular expression that takes exponentially longer to process non-numerical inputs. This allows attackers to stall systems and lead to Denial of Service.
References
- github.com/advisories/GHSA-qvjc-g5vr-mfgr
- github.com/mholt/PapaParse
- github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621
- github.com/mholt/PapaParse/issues/777
- github.com/mholt/PapaParse/pull/779
- github.com/mholt/PapaParse/releases/tag/5.2.0
- nvd.nist.gov/vuln/detail/CVE-2020-36649
- snyk.io/vuln/SNYK-JS-PAPAPARSE-564258
- vuldb.com/?ctiid.218004
- vuldb.com/?id.218004
Code Behaviors & Features
Detect and mitigate CVE-2020-36649 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →