redos
Safeguard articles tagged "redos" — guides, analysis, and best practices for software supply chain and application security.
36 articles
CVE-2022-25883: ReDoS in semver package
CVE-2022-25883 is a ReDoS flaw in the widely used semver npm package. Here's what versions are affected, its severity, and how to remediate it.
CVE-2021-3803: ReDoS in nth-check CSS selector parser
CVE-2021-3803 is a ReDoS flaw in nth-check's CSS selector regex, reachable via css-select, svgo, and countless React build toolchains relying on them.
CVE-2021-3807: ReDoS in ansi-regex
A ReDoS flaw in the widely-depended-on ansi-regex npm package could hang Node.js processes on crafted input. Here's what's affected and how to fix it.
CVE-2021-23364: ReDoS in browserslist
A regex denial of service in browserslist (CVE-2021-23364) could stall Node.js builds via crafted version strings. Here's the fix and how Safeguard catches it.
CVE-2022-3517: ReDoS in minimatch pattern matching
CVE-2022-3517 is a high-severity ReDoS flaw in minimatch's glob-to-regex conversion, impacting a huge share of the npm ecosystem's dependency graph.
CVE-2021-33503: ReDoS in urllib3 URL authority parsing
CVE-2021-33503 exposes urllib3 before 1.26.5 to a ReDoS in URL authority parsing, letting attacker URLs exhaust CPU. What to patch and why.
CVE-2022-29117: Regular expression denial of service in .NET
CVE-2022-29117 is a regular expression denial-of-service vulnerability in .NET that lets attackers exhaust CPU with crafted input. Here's what to patch and why.
Lodash 4.17.21: The Security History Behind the Version Bump
Lodash 4.17.21 closed a ReDoS path in its number-parsing helpers and a command-injection risk in its templating function — here's the security history that led up to it.
CVE-2017-18214: Why an Old CVE Still Shows Up in Scans
CVE-2017-18214 is a ReDoS bug in Moment.js patched back in 2017, yet it keeps surfacing in scans years later because bundled copies and stale lockfiles never got the memo.
CVE-2022-31129: The Day.js ReDoS Vulnerability, Explained
CVE-2022-31129 is a regular expression denial of service in Day.js's custom parse format handling. Here's what triggered it, why it's still showing up in scans, and how it was fixed.
Regular Expression Denial of Service (ReDoS): Detection and Prevention
A single bad regex can bring down your entire application. ReDoS attacks exploit catastrophic backtracking to consume unbounded CPU time.
Regular Expression Denial of Service (ReDoS): When Patterns Attack
A single poorly written regex can take down your server. ReDoS is a subtle denial-of-service vulnerability hiding in dependencies you have never audited.