Platform
nodejs
Component
string
Fixed in
3.3.4
CVE-2017-16116 describes a Denial of Service (DoS) vulnerability within the string.js library for Node.js. This vulnerability arises when specifically crafted, untrusted user input is passed to the underscore or unescapeHTML methods, leading to resource exhaustion and potential service disruption. The vulnerability impacts versions of string.js up to and including 3.3.3. While a direct patch is unavailable, workarounds and a user-provided patch are recommended.
An attacker can exploit this vulnerability by injecting malicious input designed to trigger a regular expression denial of service within the string.js library. This can lead to a complete crash of the Node.js application utilizing the library, effectively denying service to legitimate users. The impact is particularly severe in production environments where the application is critical and downtime is unacceptable. The vulnerability’s reliance on regular expression processing means that even relatively small payloads can trigger the DoS condition, making it difficult to detect and mitigate without careful input validation or code modification. Similar regex-based DoS vulnerabilities have historically resulted in significant service outages.
This CVE was publicly disclosed on July 24, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which the DoS condition can be triggered. The EPSS score is likely low to medium, reflecting the availability of mitigations and the lack of widespread exploitation.
Exploit Status
EPSS
0.37% (59% percentile)
CVSS Vector
Due to the lack of an official patch, mitigation strategies focus on preventing the vulnerable code paths from being executed. The primary recommendation is to avoid passing user-supplied input directly to the underscore and unescapeHTML methods within string.js. If these methods are essential, consider implementing strict input validation to sanitize user input before processing. A user-provided patch is available in Pull Request #217 on the string.js GitHub repository; however, it is crucial to thoroughly test this patch in a non-production environment before deploying it to production. After applying the patch or implementing input validation, confirm functionality by testing with various input strings, including those known to trigger the vulnerability.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-16116 is a Denial of Service vulnerability in the string.js library for Node.js, affecting versions up to 3.3.3. Crafted input to underscore/unescapeHTML methods can cause a crash.
You are affected if your Node.js application uses string.js version 3.3.3 or earlier and processes untrusted user input without proper sanitization.
There's no official patch. Mitigate by avoiding user input to underscore/unescapeHTML or applying the user-provided patch from Pull Request #217 after thorough testing.
There is no current evidence of active exploitation campaigns targeting this vulnerability, but public PoCs exist.
Refer to the string.js GitHub repository for information and the user-provided patch: https://github.com/jprichardson/string.js
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.