CVE-2023-25166

MEDIUM

Hapi Formula < 3.0.1 - Denial of Service

Title source: rule

Description

formula is a math and string formula parser. In versions prior to 3.0.1 crafted user-provided strings to formula's parser might lead to polynomial execution time and a denial of service. Users should upgrade to 3.0.1+. There are no known workarounds for this vulnerability.

References (2)

[Vendor Advisory] https://github.com/hapijs/formula/security/advisories/GHSA-c2jc-4fpr-4vhg

[Patch] https://github.com/hapijs/formula/commit/9fbc20a02d75ae809c37a610a57802cd1b41b3fe

View Patch ZIP pw:eip

Scores

CVSS v3 5.5

EPSS 0.0115

EPSS Percentile 78.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

hapi/formula < 3.0.1

sideway/formula 0 - 3.0.1npm

Published Feb 08, 2023

Tracked Since Feb 18, 2026