Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in path-parse v1.0.6 (CVE-2021-23343) #3095

Open
jprince opened this issue Aug 15, 2023 · 0 comments
Open

Vulnerability in path-parse v1.0.6 (CVE-2021-23343) #3095

jprince opened this issue Aug 15, 2023 · 0 comments
Labels
bug needs triage

Comments

@jprince
Copy link

jprince commented Aug 15, 2023

Current behavior:
The project depends on path-parse v1.0.6, which is vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.

For more detail see: GHSA-hj48-42vr-x3v9

Expected behavior:
The project already depends on the patched version of path-parse - v1.0.7 - so remediating this is a matter of removing the dependency on v1.0.6.

Environment information:

  • react version: N/A
  • @emotion/react version: multiple, including latest
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug needs triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jprince