CVE-2018-7158

Name
CVE-2018-7158
Description
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:* nodejs >= 4.0.0 <= 4.1.2
cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:* nodejs >= 4.2.0 <= 4.9.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status