Safeguard
Tag

redos

Safeguard articles tagged "redos" — guides, analysis, and best practices for software supply chain and application security.

36 articles

Vulnerability Analysis

CVE-2022-25883: ReDoS in semver package

CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.

Oct 12, 20257 min read
Vulnerability Analysis

CVE-2021-3803: ReDoS in nth-check CSS selector parser

CVE-2021-3803 is a ReDoS flaw in nth-check's CSS selector regex, reachable via css-select, svgo, and countless React build toolchains relying on them.

Oct 11, 20258 min read
Vulnerability Analysis

CVE-2021-3807: ReDoS in ansi-regex

A ReDoS flaw in the widely-depended-on ansi-regex npm package could hang Node.js processes on crafted input. Here's what's affected and how to fix it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2021-23364: ReDoS in browserslist

A regex denial of service in browserslist (CVE-2021-23364) could stall Node.js builds via crafted version strings. Here's the fix and how Safeguard catches it.

Oct 11, 20257 min read
Vulnerability Analysis

CVE-2022-3517: ReDoS in minimatch pattern matching

CVE-2022-3517 is a high-severity ReDoS flaw in minimatch's glob-to-regex conversion, impacting a huge share of the npm ecosystem's dependency graph.

Oct 9, 20257 min read
Vulnerability Analysis

CVE-2021-33503: ReDoS in urllib3 URL authority parsing

CVE-2021-33503 exposes urllib3 before 1.26.5 to a ReDoS in URL authority parsing, letting attacker URLs exhaust CPU. What to patch and why.

Oct 7, 20257 min read
Vulnerability Analysis

CVE-2022-29117: Regular expression denial of service in .NET

CVE-2022-29117 is a regular expression denial-of-service vulnerability in .NET that lets attackers exhaust CPU with crafted input. Here's what to patch and why.

Sep 19, 20258 min read
Vulnerabilities

Lodash 4.17.21: The Security History Behind the Version Bump

Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.

Feb 11, 20255 min read
Vulnerabilities

CVE-2017-18214: Why an Old CVE Still Shows Up in Scans

CVE-2017-18214 is a ReDoS bug in Moment.js patched back in 2017, yet it keeps surfacing in scans years later because bundled copies and stale lockfiles never got the memo.

Apr 9, 20244 min read
Vulnerabilities

CVE-2022-31129: The Day.js ReDoS Vulnerability, Explained

CVE-2022-31129 is a regular expression denial of service in Day.js's custom parse format handling. Here's what triggered it, why it's still showing up in scans, and how it was fixed.

Mar 19, 20245 min read
Application Security

Regular Expression Denial of Service (ReDoS): Detection and Prevention

A single bad regex can bring down your entire application. ReDoS attacks exploit catastrophic backtracking to consume unbounded CPU time.

May 8, 20224 min read
Application Security

Regular Expression Denial of Service (ReDoS): When Patterns Attack

A single poorly written regex can take down your server. ReDoS is a subtle denial-of-service vulnerability hiding in dependencies you have never audited.

Aug 20, 20214 min read
redos (Page 3) — Safeguard Blog