CVE-2018-7158

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

El módulo "path" en la línea de distribución 4.x de Node.js cointiene un vector potencial de denegación de servicio con expresiones regulares (ReDoS). El código en cuestión se reemplazó en Node.js 6.x y siguientes, por lo que esta vulnerabilidad solo impact a todas las versiones de Node.js 4.x. La expresión regular "splitPathRe", empleada en el módulo "path" para las diversas funciones de análisis de ruta, incluyendo "path.dirname()", "path.extname()" y "path.parse()" se estructuró de tal forma que permite que un atacante manipule una cadena que, al pasarse por una de estas funciones, podría gastar mucho tiempo para evaluar. Esto podría conducir a una denegación de servicio (DoS) completa.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-02-15 CVE Reserved
2018-05-17 CVE Published
2024-02-08 EPSS Updated
2024-09-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-185: Incorrect Regular Expression

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases	2022-08-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 4.0.0 <= 4.1.2 Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 <= 4.1.2"		-		Affected
Nodejs Search vendor "Nodejs"		Node.js Search vendor "Nodejs" for product "Node.js"				>= 4.2.0 <= 4.9.1 Search vendor "Nodejs" for product "Node.js" and version " >= 4.2.0 <= 4.9.1"		lts		Affected