Vulnerability Details : CVE-2016-2537
The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2016-2537
- cpe:2.3:a:is_my_json_valid_project:is_my_json_valid:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-2537
0.43%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2537
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2016-2537
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2537
-
https://nodesecurity.io/advisories/76
npm
-
https://github.com/mafintosh/is-my-json-valid/commit/eca4beb21e61877d76fdf6bea771f72f39544d9b
fix utc-millisec regex to avoid a ddos attack · mafintosh/is-my-json-valid@eca4beb · GitHubPatch
Jump to