WS-2015-0015 (Medium) detected in ms-0.6.2.tgz

[mend-bolt-for-github]

WS-2015-0015 - Medium Severity Vulnerability

Vulnerable Library - ms-0.6.2.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.6.2.tgz

Path to dependency file: /PitchDeck/plugin/multiplex/package.json

Path to vulnerable library: /tmp/git/PitchDeck/plugin/multiplex/node_modules/engine.io/node_modules/ms/package.json

Dependency Hierarchy:

• socket.io-1.3.7.tgz (Root Library)
  • debug-2.1.0.tgz
    • ❌ ms-0.6.2.tgz (Vulnerable Library)

Found in HEAD commit: c4b4153557cc59a4ee7b9cedf5d38ad01ff91b2d

Vulnerability Details

Ms is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

Publish Date: 2015-10-24

URL: WS-2015-0015

CVSS 2 Score Details (5.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/46

Release Date: 2015-10-24

Fix Resolution: Update to version 0.7.1 or greater. An alternative would be to limit the input length of the user input before passing it into ms.

---

Step up your Open Source Security Game with WhiteSource here