Skip to content

Denial of service in fast-csv

Low severity GitHub Reviewed Published Dec 4, 2020 in C2FO/fast-csv • Updated Feb 1, 2023

Package

npm @fast-csv/parse (npm)

Affected versions

< 4.3.6

Patched versions

4.3.6
npm fast-csv (npm)
< 4.3.6
4.3.6

Description

Impact

Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.

Patches

This has been patched in v4.3.6

Workarounds

You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6

References

This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Link to query run.

For more information

If you have any questions or comments about this advisory:

References

@doug-martin doug-martin published to C2FO/fast-csv Dec 4, 2020
Reviewed Dec 8, 2020
Published to the GitHub Advisory Database Dec 8, 2020
Published by the National Vulnerability Database Dec 8, 2020
Last updated Feb 1, 2023

Severity

Low

EPSS score

1.099%
(85th percentile)

Weaknesses

CVE ID

CVE-2020-26256

GHSA ID

GHSA-8cv5-p934-3hwp

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.