ReDos Vulnerability Regression Visibility Notice
Qix- opened this issue · 1 comments
Hello. You're probably here from the deprecation notice.
tl;dr This is a low-severity regression that was fixed but later re-introduced a while back. You are only affected if you pass un-sanitized, long user input to debug(ns)(...) - specifically, by way of the %o formatter - in Node.js. All other cases are unaffected.
Affected version selector: debug@>=3.2.0 <3.2.7 || >=4 <4.3.1
If you're still pulling old versions of the package, please nuke your node_modules/npm cache. If you're still pulling old versions of the package, bring it up with npm - I've confirmed everything is released and tagged correctly.
If the latest versions have introduced a bug for you (they shouldn't), and you've confirmed you've not accidentally pulled a major version change based on your package.json version selector (e.g. don't be using debug@* as I won't support you), then please open a ticket on this repository.
Any questions or comments about the vulnerability itself can be left in this issue. Spam comments will be deleted as I expect this issue to see a lot of traffic.
Several years ago we were alerted to a ReDos vulnerable regex expression that was fixed in f53962e but was accidentally re-introduced in 7116906. The original CVE was assigned identifier CVE-2017-16137. There will not be a formal update nor will there be a second CVE identifier assigned to the regression. Maintainers of advisory databases are free to update the recommended versions to 3.2.7 or 4.3.1 and link to this issue as a regression advisory.
The regression was responsibly disclosed to me by Yaniv Nizry from the CxSCA AppSec team at Checkmarx via email. A fix was issued appx. 1 week ago and the public disclosure was set to go out no sooner than 7 days after that.
NPM has been notified but has not yet responded.
I realize this is a low-severity issue that doesn't affect many people, but given that debug has >86 million weekly downloads and used (publicly) by >9 million repositories, I wanted to treat this as equally as any other security vulnerability. Apologies if the response seems a bit overdone, but I have learned not to assume how people are using this package because people continually surprise me throughout the years.
Thank you to Yaniv, and thank you, reader, for your patience.
- Josh
Welp, that went much better than expected.
Please open a new issue for anything related to this patch. Going to close and lock now.