CVE-2017-16116
HIGHstring < 0.2.1 - Denial of Service via Regular Expression in underscore or unescapeHTML
Title source: llmDescription
The string module is a module that provides extra string operations. The string module is vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the underscore or unescapeHTML methods.
References (2)
Core 2
Core References
Patch, Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/536
Exploit, Third Party Advisory x_refsource_misc
https://github.com/jprichardson/string.js/issues/212
Scores
CVSS v3
7.5
EPSS
0.0166
EPSS Percentile
73.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
Status
published
Products (2)
npm/string
0npm
string_project/string
< 0.2.1
Published
Jun 07, 2018
Tracked Since
Feb 18, 2026