The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Hosted-git-info | Npmjs | 2.0.0 (including) | 2.8.9 (excluding) |
Hosted-git-info | Npmjs | 3.0.0 (including) | 3.0.8 (excluding) |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.