CVE-2017-16117

slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 57%
VendorProductVersion
slug_projectslug
𝑥
≤ 0.9.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/dodo/node-slug/issues/82
https://nodesecurity.io/advisories/537
https://github.com/dodo/node-slug/issues/82
https://nodesecurity.io/advisories/537