WS-2017-0247 (Low) detected in ms-0.7.1.tgz, ms-0.7.2.tgz #3
Description
WS-2017-0247 - Low Severity Vulnerability
Vulnerable Libraries - ms-0.7.1.tgz, ms-0.7.2.tgz
ms-0.7.1.tgz
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Path to dependency file: esri-leaflet/package.json
Path to vulnerable library: esri-leaflet/node_modules/socket.io-parser/node_modules/ms/package.json
Dependency Hierarchy:
- karma-1.7.1.tgz (Root Library)
- socket.io-1.7.3.tgz
- socket.io-parser-2.3.1.tgz
- debug-2.2.0.tgz
- ❌ ms-0.7.1.tgz (Vulnerable Library)
- debug-2.2.0.tgz
- socket.io-parser-2.3.1.tgz
- socket.io-1.7.3.tgz
ms-0.7.2.tgz
Tiny milisecond conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.2.tgz
Path to dependency file: esri-leaflet/package.json
Path to vulnerable library: esri-leaflet/node_modules/engine.io/node_modules/ms/package.json
Dependency Hierarchy:
- karma-1.7.1.tgz (Root Library)
- socket.io-1.7.3.tgz
- debug-2.3.3.tgz
- ❌ ms-0.7.2.tgz (Vulnerable Library)
- debug-2.3.3.tgz
- socket.io-1.7.3.tgz
Vulnerability Details
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
CVSS 2 Score Details (3.4)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1