Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.
This has been patched in v4.3.6
You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6
This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Link to query run.
If you have any questions or comments about this advisory:
* Open an issue in fast-csv
| Score | Percentile |
|---|---|
| 1.07% | 77.50% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 5.7 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-8cv5-p934-3hwp ↗ |
| CVE | CVE-2020-26256 ↗ |
| CWE id | Name |
|---|---|
| CWE-400 | Uncontrolled Resource Consumption |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | fast-csv | < 4.3.6 | 4.3.6 | — |
| npm | @fast-csv/parse | < 4.3.6 | 4.3.6 | — |