CVE-2017-16117

HIGH

slug < 0.9.1 - Regular Expression Denial of Service via Crafted Unicode Input

Title source: llm
STIX 2.1

Description

slug is a module to slugify strings, even if they contain unicode. slug is vulnerable to regular expression denial of service is specially crafted untrusted input is passed as input. About 50k characters can block the event loop for 2 seconds.

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
https://github.com/dodo/node-slug/issues/82
Third Party Advisory x_refsource_misc
https://nodesecurity.io/advisories/537

Scores

CVSS v3 7.5
EPSS 0.0158
EPSS Percentile 72.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (2)
npm/slug 0 - 0.9.2npm
slug_project/slug < 0.9.1
Published Jun 07, 2018
Tracked Since Feb 18, 2026