Primary

Context

string-math Regex Denial-of-Service Vulnerability

Vulnerability

A regular expression denial-of-service (ReDoS) vulnerability has been identified in string-math version 1.2.2. This issue arises from a regex pattern that can be exploited by providing a carefully crafted input, such as a long string of null bytes and tabs, which eventually causes the application to crash.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing the application to crash.

Reproduction

The vulnerability can be reproduced by using the string-math library and inputting a payload that consists of 5000 tabs followed by 100 instances of '0()'. This crafted input takes advantage of the regex pattern, causing a significant delay before the application crashes.

Added: Jun 30, 2025, 5:24 PM

Updated: Jun 30, 2025, 7:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

7.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

string-math Regex Denial-of-Service Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating