CVE-2017-16137
First published: Wed Oct 11 2017(Updated: )
Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1. ## Recommendation Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debug Project Debug | >=2.0.0<2.6.9 | |
| Debug Project Debug | >=3.0.0<3.1.0 | |
| redhat/nodejs-debug | <2.6.9 | 2.6.9 |
| redhat/nodejs-debug | <3.1.0 | 3.1.0 |
| npm/debug | >=4.0.0<4.3.1 | 4.3.1 |
| npm/debug | >=3.2.0<3.2.7 | 3.2.7 |
| npm/debug | >=3.0.0<3.1.0 | 3.1.0 |
| npm/debug | <2.6.9 | 2.6.9 |
| <=10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2017-16137
- https://github.com/visionmedia/debug/issues/501
- https://github.com/visionmedia/debug/pull/504
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E
- https://github.com/debug-js/debug/issues/797
- https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020
- https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290
- https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac
- https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a
- https://github.com/advisories/GHSA-gxpj-cx7g-858c (Advisory)
- https://nodesecurity.io/advisories/534
- https://exchange.xforce.ibmcloud.com/vulnerabilities/135678
- https://www.ibm.com/support/pages/node/7057377 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1500706
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1516740
- https://access.redhat.com/security/updates/classification/
- https://access.redhat.com/errata/RHSA-2021:3917
- https://bugzilla.redhat.com/show_bug.cgi?id=1500705
- https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3%40%3Ccommits.netbeans.apache.org%3E
- https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63%40%3Cnotifications.netbeans.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2017-16137?
The severity of CVE-2017-16137 is medium with a severity value of 5.3.
Which versions of debug are affected by CVE-2017-16137?
Versions 2.0.0 to 2.6.9, 3.0.0 to 3.1.0, and 4.0.0 to 4.3.1 of debug are affected by CVE-2017-16137.
What is the vulnerability of CVE-2017-16137?
CVE-2017-16137 is a regular expression denial of service vulnerability in the debug module of Node.js.
How can I fix CVE-2017-16137?
To fix CVE-2017-16137, update the debug module to version 2.6.9, 3.1.0, or 4.3.1, depending on the version you are using.
Where can I find more information about CVE-2017-16137?
You can find more information about CVE-2017-16137 on the NVD NIST page (https://nvd.nist.gov/vuln/detail/CVE-2017-16137) and on the GitHub issues (https://github.com/visionmedia/debug/issues/501) and pull request (https://github.com/visionmedia/debug/pull/504) for debug.
- collector/nvd-index
- agent/type
- agent/author
- agent/first-publish-date
- agent/remedy
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-16137
- agent/software-canonical-lookup
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-gxpj-cx7g-858c
- agent/last-modified-date
- agent/description
- collector/nvd-cve
- source/NVD
- agent/references
- collector/github-advisory
- agent/severity
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- agent/event
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/debug project
- canonical/debug project debug
- version/debug project debug/2.0.0
- version/debug project debug/3.0.0
- package-manager/redhat
- package-manager/npm
- vendor/ibm
- canonical/ibm security verify governance
- version/ibm security verify governance/10.0