Platform
nodejs
Component
no-case
Fixed in
2.3.2
CVE-2017-16099 describes a Denial of Service (DoS) vulnerability found in the no-case library. This vulnerability arises from improper handling of untrusted user input during regular expression parsing, leading to excessive resource consumption and potential application crashes. Affected versions include those prior to 2.3.2. Updating to version 2.3.2 or later resolves the issue.
An attacker can exploit this vulnerability by crafting malicious input that triggers a computationally expensive regular expression. This can lead to a denial of service, rendering the application unresponsive and unavailable to legitimate users. The impact can range from temporary service disruption to complete application downtime, potentially impacting critical business operations. The regular expression engine becomes a target, and the attacker can effectively exhaust system resources by forcing it to perform an excessive number of operations. This is a classic regex DoS pattern, similar to those seen in other parsing libraries.
CVE-2017-16099 was published on July 24, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. The EPSS score is likely low, given the lack of public exploits and the relatively straightforward mitigation (upgrade). No known KEV status. Public Proof-of-Concept (POC) code is not widely available, suggesting limited public awareness and exploitation.
Exploit Status
EPSS
0.33% (56% percentile)
CVSS Vector
The primary mitigation for CVE-2017-16099 is to upgrade to version 2.3.2 or later of the no-case library. If upgrading is not immediately feasible, consider implementing input validation and sanitization to prevent malicious regular expressions from being processed. WAF rules could be configured to block requests containing suspicious regular expression patterns. Careful review of any user-supplied data used in regular expressions is crucial. After upgrading, confirm the fix by attempting to parse known malicious input and verifying that the application does not crash or exhibit excessive resource consumption.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-16099 is a denial-of-service vulnerability in the no-case library, where parsing untrusted user input can trigger a regular expression DoS, potentially crashing the application.
You are affected if you are using a version of no-case prior to 2.3.2 and process untrusted user input in regular expressions.
Upgrade to version 2.3.2 or later of the no-case library. Implement input validation and sanitization as a temporary workaround if upgrading is not immediately possible.
There is currently no evidence of active exploitation campaigns targeting CVE-2017-16099.
Refer to the no-case project's repository or website for relevant advisories and release notes: https://github.com/diegonvasquez/no-case
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.