// For flags

CVE-2018-7158

 

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.

El módulo "path" en la línea de distribución 4.x de Node.js cointiene un vector potencial de denegación de servicio con expresiones regulares (ReDoS). El código en cuestión se reemplazó en Node.js 6.x y siguientes, por lo que esta vulnerabilidad solo impact a todas las versiones de Node.js 4.x. La expresión regular "splitPathRe", empleada en el módulo "path" para las diversas funciones de análisis de ruta, incluyendo "path.dirname()", "path.extname()" y "path.parse()" se estructuró de tal forma que permite que un atacante manipule una cadena que, al pasarse por una de estas funciones, podría gastar mucho tiempo para evaluar. Esto podría conducir a una denegación de servicio (DoS) completa.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-02-15 CVE Reserved
  • 2018-05-17 CVE Published
  • 2024-02-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-185: Incorrect Regular Expression
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 4.0.0 <= 4.1.2
Search vendor "Nodejs" for product "Node.js" and version " >= 4.0.0 <= 4.1.2"
-
Affected
Nodejs
Search vendor "Nodejs"
Node.js
Search vendor "Nodejs" for product "Node.js"
>= 4.2.0 <= 4.9.1
Search vendor "Nodejs" for product "Node.js" and version " >= 4.2.0 <= 4.9.1"
lts
Affected