Published: 17/05/2018 Updated: 29/08/2022

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an malicious user to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

Vulnerable Product	Search on Vulmon	Subscribe to Product
nodejs node.js

It was found that the 'path' module from Nodejs was vulnerable to a Regular Expression Denial of Service (REDoS) flaw An attacker able to provide a specially crafted file path to a Nodejs script could force it to hang indefinitely ...

NVD-CWE-Other https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2018-7158

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2018-7158

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect