CVE-2017-20165

LOW

debug < 3.1.0 - Inefficient Regular Expression Complexity in useColors Function

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-20165. PoCs published by fastify.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2017-20165, which involves a directory traversal vulnerability in the `@fastify/send` library. The exploit allows attackers to access files outside the intended directory root by manipulating the request path.

Description

A vulnerability classified as problematic has been found in debug-js debug up to 3.0.x. This affects the function useColors of the file src/node.js. The manipulation of the argument str leads to inefficient regular expression complexity. Upgrading to version 3.1.0 is able to address this issue. The identifier of the patch is c38a0166c266a679c8de012d4eaccec3f944e685. It is recommended to upgrade the affected component. The identifier VDB-217665 was assigned to this vulnerability.

Exploits (1)

nomisec WORKING POC 15 stars

by fastify · poc

https://github.com/fastify/send

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2017-20165, which involves a directory traversal vulnerability in the `@fastify/send` library. The exploit allows attackers to access files outside the intended directory root by manipulating the request path.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: @fastify/send library

No auth needed

Prerequisites: Access to the target server · The `@fastify/send` library being used in the application

MITRE ATT&CK

T1006 - Direct Volume Access

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.217665

Third Party Advisory, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.217665

Patch issue-tracking

https://github.com/debug-js/debug/pull/504

Patch patch

https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685

View Patch ZIP pw:eip

Release Notes patch

https://github.com/debug-js/debug/releases/tag/3.1.0

Scores

CVSS v3 3.5

EPSS 0.0158

EPSS Percentile 82.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

debug_project/debug < 2.6.9

npm/debug 3.0.0 - 3.1.0npm

Published Jan 09, 2023

Tracked Since Feb 18, 2026