game-ui / package.json

Security Vulnerabilities

Project: game-ui
File: package.json
Scanned on: 2020-11-01 at 20:52 UTC
Dependencies: 32
Security Vulnerabilities: 1

These dependencies all have known security vulnerabilities. We recommend to either remove them from the project or to follow the recommendations in the 'recommendation' section, if available.

NodeJS/negotiator/0.6.0

Regular Expression Denial of Service

Published date: 2016-06-16

CVSS Score: 7.5

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Coordinating vendor: ^Lift Security

Links:

https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS

negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa.

The header for "Accept-Language", when parsed by negotiator is vulnerable to Regular Expression Denial of Service via a specially crafted string.

Timeline

April 29th 2016 - Initial report to maintainers
April 29th 2016 - Confirm receipt from maintainers
May 1st 2016 - Fix confirmed
May 5th 2016 - 0.6.1 published with fix
June 16th 2016 - Advisory published (delay was to coordinate fixes in upstream frameworks, Koa and Express)

Affected versions: ["0.1.0", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.3.0", "0.4.0", "0.4.1", "0.4.2", "0.4.3", "0.4.4", "0.4.5", "0.4.6", "0.4.7", "0.4.8", "0.4.9", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.6.0"]

Secure versions: [0.6.1, 0.6.2]

Recommendation: Upgrade to at least version 0.6.1 Express users should update to Express 4.14.0 or greater. If you want to see if you are using a vulnerable call, a quick grep for the `acceptsLanguages` function call in your application will tell you if you are using this functionality.