CVE-2025-25283: parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

February 12, 2025

This report finds 2 availability issues due to the regex used in the parse-duration npm package:

An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively.
An out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters.

References

github.com/advisories/GHSA-hcrg-fc28-fcg5
github.com/jkroso/parse-duration
github.com/jkroso/parse-duration/security/advisories/GHSA-hcrg-fc28-fcg5
nvd.nist.gov/vuln/detail/CVE-2025-25283

Detect and mitigate CVE-2025-25283 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →