Platform
nodejs
Component
debug
Fixed in
2.6.9
CVE-2017-16137 describes a Denial of Service (DoS) vulnerability within the debug event formatter. This vulnerability arises when untrusted user input is processed by the o formatter, leading to a regular expression DoS. Exploitation requires approximately 50,000 characters to block the event loop for two seconds, classifying it as a low-severity issue. Affected versions include 2.x.x, 3.1.x, 3.2.x, and 4.x.x, with fixes available in later releases.
The primary impact of CVE-2017-16137 is a denial of service. A successful attacker can craft malicious input that triggers a computationally expensive regular expression, effectively freezing the event loop. This can render the application unresponsive, preventing legitimate users from accessing its functionality. While the attack requires a relatively large input (50,000 characters), the potential for service disruption makes it a concern, especially in environments where the debug formatter is exposed to untrusted input. The impact is limited to the affected application instance; lateral movement is not directly possible through this vulnerability.
CVE-2017-16137 is not currently listed on KEV or EPSS. Given the low CVSS score and the relatively complex exploitation requirements (requiring a large input), the probability of active exploitation is considered low. Public proof-of-concept (POC) code is available, demonstrating the vulnerability's exploitability. The vulnerability was published on August 9, 2018.
Exploit Status
EPSS
0.10% (27% percentile)
CVSS Vector
The recommended mitigation for CVE-2017-16137 is to upgrade to a patched version of the debug event formatter. Specific versions to upgrade to are 2.6.9 or later for 2.x.x, 3.1.0 or later for 3.1.x, 3.2.7 or later for 3.2.x, and 4.3.1 or later for 4.x.x. If an immediate upgrade is not feasible, consider implementing input validation to sanitize user-provided data before it is processed by the o formatter. This can involve limiting the length of input strings or filtering out potentially malicious characters. After upgrading, confirm the fix by attempting to trigger the formatter with a large string of characters; the event loop should not be blocked.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2017-16137 is a Denial of Service vulnerability in the debug event formatter, allowing an attacker to block the event loop through a regular expression DoS. It's classified as a low-severity issue.
You are affected if you are using versions 2.x.x, 3.1.x, 3.2.x, or 4.x.x of the debug event formatter and exposing it to untrusted user input.
Upgrade to version 2.6.9+, 3.1.0+, 3.2.7+, or 4.3.1+ of the debug event formatter. Input validation can also be implemented as a temporary workaround.
While public POCs exist, there's no current evidence of widespread active exploitation of CVE-2017-16137 due to its low CVSS score and exploitation complexity.
Refer to the official Node Security Project advisory for CVE-2017-16137: https://www.npmjs.com/advisories/721
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.