-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🚧Redos vulnerability in Wordwrap #8653
Comments
@raghunandhanvr I didn't find any code usage with this dependency, let me know if you found one. |
@raghunandhanvr how would this be fixed? |
Thank you @raghunandhanvr - we're keeping an eye out on jonschlinkert/word-wrap#32 - our internal assessment is: Because this code is used only by eslint and this being a dev only package, there is no public facing code that will be affected by this vulnerability. Also as indicated by the optionator package - this vulnerability does not affect their code. Therefore, no mitigation is needed as we are not affected by this vulnerability. Also including the eslint assesment @ eslint/eslint#17117 (comment) for completeness.
|
Dear cal.com team,
I am writing to inform you of a vulnerability in the Wordwrap package (version 1.0.0) that is used by your website/service. This vulnerability can be exploited through a regular expression Denial of Service (ReDoS) attack, which can cause the package to enter an infinite loop, leading to a denial of service on the affected system.
The vulnerability affects all versions of the Wordwrap package up to and including version 1.0.0, and unfortunately, there is currently no known fix for the issue. I have included a proof-of-concept code snippet below that demonstrates the vulnerability in action:
As you can see, this code snippet can cause the Wordwrap package to enter an infinite loop when provided with a specially crafted input string, resulting in a significant delay in processing time and potentially leading to a denial of service.
I urge you to take immediate action to address this vulnerability by either updating to a patched version of the Wordwrap package (if and when one becomes available), or by finding an alternative package that is not vulnerable to this issue.
Thank you for your attention to this matter. Please let me know if you require any additional information or assistance in addressing this vulnerability with respect to cal platform.
Reference: https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973
The text was updated successfully, but these errors were encountered: