CVE-2018-7158

CWE-185CWE-400Uncontrolled Resource ConsumptionCWE-20Improper Input Validation9 documents7 sources
Severity
7.5HIGH
EPSS
1.3%
top 20.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nodejs Node.jsTHE Node.js Project Node.js
Timeline
PublishedMay 17
Latest updateMay 13

Description

The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitPathRe`, used within the `'path'` module for the various path parsing functions, including `path.dirname()`, `path.extname()` and `path.parse()` was structured in such a way as to allow an attacker to craft a string, that

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Debiannodejs< 6.0.0~dfsg-1+3
NVDnodejs/node.js4.0.04.1.2+1

🔴Vulnerability Details

3
GHSA
GHSA-43w8-q5fx-vj5w: The `'path'` module in the Node2022-05-13
OSV
CVE-2018-7158: The `'path'` module in the Node2018-05-17
CVEList
CVE-2018-7158: The `'path'` module in the Node2018-05-17

📋Vendor Advisories

2
Red Hat
nodejs: path module regular expression denial of service2018-03-08
Debian
CVE-2018-7158: nodejs - The `'path'` module in the Node.js 4.x release line contains a potential regular...2018

💬Community

3
Bugzilla
CVE-2018-7158 nodejs: path module regular expression denial of service2018-03-29
Bugzilla
CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 nodejs: various flaws [fedora-all]2018-03-29
Bugzilla
CVE-2018-7158 CVE-2018-7159 CVE-2018-7160 nodejs: various flaws [epel-all]2018-03-29
CVE-2018-7158 (HIGH CVSS 7.5) | The `'path'` module in the Node.js | cvebase.io