Bug 1299498 (CVE-2016-2537) - CVE-2016-2537 nodejs-is-my-json-valid: Regular expression DoS using utc-millisec format
Summary: CVE-2016-2537 nodejs-is-my-json-valid: Regular expression DoS using utc-milli...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: CVE-2016-2537
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1299499
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-18 14:09 UTC by Adam Mariš
Modified: 2019-09-29 13:42 UTC (History)
2 users (show)

Fixed In Version: nodejs-is-my-json-valid 2.12.4
Clone Of:
Environment:
Last Closed: 2017-02-18 14:28:44 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2016-01-18 14:09:10 UTC 
A regular expression denial of service vulnerability was found in is-my-json-valid. It is possible to block the event loop when specially crafted user input is allowed into a validator using the utc-millisec format.

Upstream patch:

https://github.com/mafintosh/is-my-json-valid/commit/eca4beb21e61877d76fdf6bea771f72f39544d9b
Comment 1 Adam Mariš 2016-01-18 14:09:42 UTC 
Created nodejs-is-my-json-valid tracking bugs for this issue:

Affects: fedora-all [bug 1299499]
Comment 2 Fedora Update System 2016-02-03 20:50:42 UTC 
nodejs-is-my-json-valid-2.12.4-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2016-02-12 12:22:16 UTC 
nodejs-is-my-json-valid-2.12.4-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 Piotr Popieluch 2017-02-18 14:28:44 UTC 
This is fixed in all Fedora releases
Note You need to log in before you can comment on or make changes to this bug.