Regular Expression Denial of Service (ReDoS)
Description
The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Locutus prior to 2.0.15 is vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
Vulnerability
The gopher_parsedir function in the locutus package before version 2.0.15 is vulnerable to Regular Expression Denial of Service (ReDoS). The function uses a regular expression that can cause catastrophic backtracking when processing specially crafted input, leading to excessive CPU consumption. This affects all versions prior to 2.0.15. [1][2][3]
Exploitation
An attacker can exploit this vulnerability by providing a maliciously crafted string to the gopher_parsedir function. The attack requires no authentication and can be performed remotely if the function processes user-supplied input. The crafted input triggers the vulnerable regex to evaluate for an extremely long time, effectively blocking the event loop. [3][4]
Impact
Successful exploitation results in a denial of service (DoS) condition, making the Node.js application unresponsive due to high CPU usage. The attacker does not gain code execution or data access; the impact is limited to availability. [1][3]
Mitigation
The vulnerability is fixed in locutus version 2.0.15, released on or around May 27, 2021. Users should upgrade to version 2.0.15 or later. For those unable to upgrade, no reliable workaround exists; disabling the gopher_parsedir function or avoiding use of gopher URL parsing is recommended if feasible. The fix is available in commit eb86332. [2][4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
locutusnpm | < 2.0.15 | 2.0.15 |
Affected products
2- locutus/locutusdescription
Patches
1eb863321990ePrevent ReDos issue with regex inside gopher_parsedir (#446)
1 file changed · +1 −1
src/php/net-gopher/gopher_parsedir.js+1 −1 modified@@ -22,7 +22,7 @@ module.exports = function gopher_parsedir (dirent) { // eslint-disable-line came * s = Audio file format, primarily a WAV file */ - const entryPattern = /^(.)(.*?)\t(.*?)\t(.*?)\t(.*?)\u000d\u000a$/ + const entryPattern = /^(.)([^\t]*)\t([^\t]*)\t([^\t]*)\t([^\t]*)\r\n$/ const entry = dirent.match(entryPattern) if (entry === null) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-39q4-p535-c852ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-23392ghsaADVISORY
- github.com/locutusjs/locutus/commit/eb863321990e7e5514aa14f68b8d9978ece9e65eghsax_refsource_MISCWEB
- github.com/locutusjs/locutus/pull/446ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-LOCUTUS-1090597ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.