GMS-2019-62: Regular Expression Denial of Service in underscore.string

June 14, 2019 (updated August 16, 2021)

Versions of underscore.string prior to 3.3.5 are vulnerable to Regular Expression Denial of Service (ReDoS).

The function unescapeHTML is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s f characters but grows exponentially with larger inputs. Upgrade to or higher.

References

github.com/advisories/GHSA-v2p6-4mp7-3r9v
github.com/epeli/underscore.string/commit/f486cd684c94c12db48b45d52b1472a1b9661029
github.com/epeli/underscore.string/issues/510
github.com/epeli/underscore.string/pull/517
www.npmjs.com/advisories/745

Detect and mitigate GMS-2019-62 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →