Bug 2160359 (CVE-2020-36649) - CVE-2020-36649 papaparse: RegExp used to detect numbers is vulnerable to ReDoS
Summary: CVE-2020-36649 papaparse: RegExp used to detect numbers is vulnerable to ReDoS
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-36649
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2160216
TreeView+ depends on / blocked
 
Reported: 2023-01-12 07:11 UTC by Sandipan Roy
Modified: 2023-01-22 23:22 UTC (History)
8 users (show)

Fixed In Version: PapaParse 5.2.0
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PapaParse. The affected function is present in the papaparse.js file. The manipulation leads to an inefficient regular expression complexity.
Clone Of:
Environment:
Last Closed: 2023-01-22 23:22:11 UTC
Embargoed:

Attachments (Terms of Use)

Description Sandipan Roy 2023-01-12 07:11:39 UTC 
A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.

https://github.com/mholt/PapaParse/commit/235a12758cd77266d2e98fd715f53536b34ad621
https://github.com/mholt/PapaParse/pull/779
https://github.com/mholt/PapaParse/issues/777
https://vuldb.com/?ctiid.218004
https://vuldb.com/?id.218004
https://github.com/mholt/PapaParse/releases/tag/5.2.0
Comment 2 Product Security DevOps Team 2023-01-22 23:22:09 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-36649
Note You need to log in before you can comment on or make changes to this bug.