7.5

CVE-2022-25887

Regular Expression Denial of Service (ReDoS)

The package sanitize-html before 2.7.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to insecure global regular expression replacement logic of HTML comment removal.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApostrophecmsSanitize-html SwPlatformnode.js Version < 2.7.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.15% 0.629
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
report@snyk.io 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c
Patch
Third Party Advisory
https://github.com/apostrophecms/sanitize-html/pull/557
Patch
Third Party Advisory
Issue Tracking
https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3008102
Patch
Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526
Patch
Third Party Advisory