Headline
CVE-2018-25077: Fix possible ReDoS attack · melnaron/mel-spintax@3776761
A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the file lib/spintax.js. The manipulation of the argument text leads to inefficient regular expression complexity. The name of the patch is 37767617846e27b87b63004e30216e8f919637d3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218456.
@@ -34,7 +34,7 @@
* @return {Boolean}
*/
exports.isSpintax = function(text) {
return text.match(/{.*(\|.*)+}/) !== null;
return text.match(/\{[^}]*\|*[^}]*\}/) !== null;
};
/**
@@ -44,7 +44,7 @@
* @return {null|Array}
*/
exports.findSpintax = function(text) {
return text.match(/{([^{}]+?)}/);
return text.match(/\{([^{}]+?)\}/);
};
/**
@@ -152,7 +152,7 @@
text = exports.unspin(text);
// Check text for remaining Spintax format sequences: { then | or | then }
return text.match(/({[^}]*\|)|(\|[^{]*})/) === null;
return text.match(/(\{[^}]*\|)|(\|[^{]*\})/) === null;
};
})(typeof exports === ‘undefined’ ? this[‘spintax’] = {} : exports);
Related news
A vulnerability was found in melnaron mel-spintax. It has been rated as problematic. Affected by this issue is some unknown functionality of the file `lib/spintax.js`. The manipulation of the argument text leads to inefficient regular expression complexity. The name of the patch is 37767617846e27b87b63004e30216e8f919637d3. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-218456.