Medium severityGHSA Advisory· Published Sep 1, 2020· Updated Sep 23, 2021
Regular Expression Denial of Service in bleach
CVE-2014-8881
Description
All versions of the bleach package are vulnerable to a regular expression denial of service attack when certain types of input are passed into the sanitize function.
Recommendation
The bleach package is not currently maintained, and has not seen an update since 2014.
To mitigate this issue, it is necessary to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bleachnpm | >= 0.0.0 | — |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-mvmf-cvfx-qg55ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-8881ghsaADVISORY
- snyk.io/vuln/npm:bleach:20151024ghsaWEB
- www.npmjs.com/advisories/47ghsaWEB
News mentions
0No linked articles in our index yet.