How to Remediate: Vulnerability Detected in debug package (Inefficient Regular Expression Complexity)
I recently ran a security scan using Checkmarx One and detected a high vulnerability in the npm debug package.
Package: debug
Version: 4.3.4 (latest)
CWE: CWE-1333 (Inefficient Regular Expression Complexity)
Description: In NPM debug, the enable function accepts a regular expression from user input without escaping it. Arbitrary regular expressions could be injected to cause a Denial of Service attack on the user's browser, otherwise known as a ReDoS (Regular Expression Denial of Service). This is a different issue than CVE-2017-16137.
I did not directly install and use the debug package. It is a dependency of the following packages that I am currently using:
- mocha @ 10.2.0
- mocha-junit-reporter @ 2.2.0
- supertest @ 6.3.3
- hygen @ 6.2.11
Is there any recommended remediation for this vulnerability?
Screenshot of Checkmarx One description of the Vulnerability
