The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that when passed through one of these functions, could take a significant amount of time to evaluate, potentially leading to a full denial of service.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: nodejs

Published: 2018-05-17T14:00:00Z

Updated: 2024-09-16T16:48:51.289Z

Reserved: 2018-02-15T00:00:00

Link: CVE-2018-7158

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-05-17T14:29:00.527

Modified: 2024-11-21T04:11:41.790

Link: CVE-2018-7158

cve-icon Redhat

Severity : Moderate

Publid Date: 2018-03-08T00:00:00Z

Links: CVE-2018-7158 - Bugzilla