Medium severity5.3NVD Advisory· Published Jun 7, 2018· Updated Jun 17, 2026
CVE-2017-16137
CVE-2017-16137
Description
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
debugnpm | < 2.6.9 | 2.6.9 |
debugnpm | >= 3.0.0, < 3.1.0 | 3.1.0 |
debugnpm | >= 3.2.0, < 3.2.7 | 3.2.7 |
debugnpm | >= 4.0.0, < 4.3.1 | 4.3.1 |
Affected products
26- osv-coords25 versionspkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:npm/debug
< 2.4.0-r7+ 24 more
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.4.0-r7
- (no CPE)range: < 2.6.9
- HackerOne/debug node modulev5Range: <= 2.6.8 || >= 3.0.0 <= 3.0.1
Patches
Vulnerability mechanics
References
14- github.com/visionmedia/debug/pull/504nvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-gxpj-cx7g-858cghsaADVISORY
- github.com/visionmedia/debug/issues/501nvdThird Party AdvisoryWEB
- nodesecurity.io/advisories/534nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-16137ghsaADVISORY
- github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020ghsaWEB
- github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290ghsaWEB
- github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5acghsaWEB
- github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5aghsaWEB
- github.com/debug-js/debug/issues/797ghsaWEB
- lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3Envd
- lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3Envd
News mentions
0No linked articles in our index yet.