string
修复版本
3.3.4
CVE-2017-16116 describes a Denial of Service (DoS) vulnerability within the string.js library for Node.js. This vulnerability arises when specifically crafted, untrusted user input is passed to the underscore or unescapeHTML methods, leading to resource exhaustion and potential service disruption. The vulnerability impacts versions of string.js up to and including 3.3.3. While a direct patch is unavailable, workarounds and a user-provided patch are recommended.
An attacker can exploit this vulnerability by injecting malicious input designed to trigger a regular expression denial of service within the string.js library. This can lead to a complete crash of the Node.js application utilizing the library, effectively denying service to legitimate users. The impact is particularly severe in production environments where the application is critical and downtime is unacceptable. The vulnerability’s reliance on regular expression processing means that even relatively small payloads can trigger the DoS condition, making it difficult to detect and mitigate without careful input validation or code modification. Similar regex-based DoS vulnerabilities have historically resulted in significant service outages.
This CVE was publicly disclosed on July 24, 2018. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the ease with which the DoS condition can be triggered. The EPSS score is likely low to medium, reflecting the availability of mitigations and the lack of widespread exploitation.
Applications built on Node.js that utilize the string.js library, particularly those that process user-supplied data without proper sanitization, are at risk. Web applications, APIs, and backend services relying on string.js are all potential targets. Developers using older versions of string.js without regular security updates are also at increased risk.
• nodejs / server:
ps aux | grep string.js | grep 'underscore|unescapeHTML'• nodejs / server:
journalctl -u your-node-app | grep -i "regular expression" -i "underscore" -i "unescapeHTML"• generic web:
Inspect application logs for errors related to regular expression processing or unexpected resource consumption when using string.js.
discovery
disclosure
poc
漏洞利用状态
EPSS
0.37% (59% 百分位)
CVSS 向量
Due to the lack of an official patch, mitigation strategies focus on preventing the vulnerable code paths from being executed. The primary recommendation is to avoid passing user-supplied input directly to the underscore and unescapeHTML methods within string.js. If these methods are essential, consider implementing strict input validation to sanitize user input before processing. A user-provided patch is available in Pull Request #217 on the string.js GitHub repository; however, it is crucial to thoroughly test this patch in a non-production environment before deploying it to production. After applying the patch or implementing input validation, confirm functionality by testing with various input strings, including those known to trigger the vulnerability.
暂无官方补丁。请查找临时解决方案或持续关注更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2017-16116 is a Denial of Service vulnerability in the string.js library for Node.js, affecting versions up to 3.3.3. Crafted input to underscore/unescapeHTML methods can cause a crash.
You are affected if your Node.js application uses string.js version 3.3.3 or earlier and processes untrusted user input without proper sanitization.
There's no official patch. Mitigate by avoiding user input to underscore/unescapeHTML or applying the user-provided patch from Pull Request #217 after thorough testing.
There is no current evidence of active exploitation campaigns targeting this vulnerability, but public PoCs exist.
Refer to the string.js GitHub repository for information and the user-provided patch: https://github.com/jprichardson/string.js