Reputation: 71
High Vulnerability Detected in Dependency (NPM debug) of mocha
How to Remediate: Vulnerability Detected in debug package (Inefficient Regular Expression Complexity)
I recently ran a security scan using Checkmarx One and detected a high vulnerability in the npm debug package.
Package: debug
Version: 4.3.4 (latest)
CWE: CWE-1333 (Inefficient Regular Expression Complexity)
Description: In NPM debug, the enable function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). This is a different issue than CVE-2017-16137.
I did not directly install and use the debug package. It is a dependency of the following packages that I am currently using:
- mocha @ 10.2.0
- mocha-junit-reporter @ 2.2.0
- supertest @ 6.3.3
- hygen @ 6.2.11
Is there any recommended remediation for this vulnerability?
Screenshot of Checkmarx One description of the Vulnerability
Upvotes: 2
Views: 1037
Answers (0)
Related Questions
- Axios vulnerability detected when installing @nuxtjs/auth-next
- Checkmarx high vulnerability issue SQL injection
- how to solve moderate severity vulnerabilities in vs for npm install
- vulnerability warning in npm packages when creating Expo project
- npm-debug module: how to enable and disable debug targets programatically?
- Testing javascript with Mocha - how can I use console.log to debug a test?
- How to run mocha and mocha-phantomjs tests from one "npm test" command in node.js?
- npm + Mocha + RequireJS