WS-2017-0247 (Low) detected in ms-0.7.0.tgz, ms-0.7.1.tgz
Closed this issue · 0 comments
WS-2017-0247 - Low Severity Vulnerability
Vulnerable Libraries - ms-0.7.0.tgz, ms-0.7.1.tgz
ms-0.7.0.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.0.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/express-session/node_modules/ms/package.json
Dependency Hierarchy:
- express-3.20.3.tgz (Root Library)
- connect-2.29.2.tgz
- express-session-1.10.4.tgz
- debug-2.1.3.tgz
- ❌ ms-0.7.0.tgz (Vulnerable Library)
- debug-2.1.3.tgz
- express-session-1.10.4.tgz
- connect-2.29.2.tgz
ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: /tmp/ws-scm/cla-bot/package.json
Path to vulnerable library: /tmp/ws-scm/cla-bot/node_modules/ms/package.json
Dependency Hierarchy:
- express-3.20.3.tgz (Root Library)
- debug-2.2.0.tgz
- ❌ ms-0.7.1.tgz (Vulnerable Library)
- debug-2.2.0.tgz
Found in HEAD commit: 728af6547d8b346b13cb8e7fe8c30e8a0df3cbeb
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-05-15
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: vercel/ms@305f2dd
Release Date: 2017-04-12
Fix Resolution: Replace or update the following file: index.js