7.5
CVE-2022-25887
- EPSS 1.15%
- Veröffentlicht 30.08.2022 05:15:07
- Zuletzt bearbeitet 21.11.2024 06:53:09
- Quelle report@snyk.io
- CVE-Watchlists
- Unerledigt
Regular Expression Denial of Service (ReDoS)
The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Apostrophecms ≫ Sanitize-html SwPlatformnode.js Version < 2.7.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.15% | 0.629 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| report@snyk.io | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-1333 Inefficient Regular Expression Complexity
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c
https://github.com/apostrophecms/sanitize-html/pull/557
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526