Affected versions of `string` are vulnerable to regular expression denial of service when specifically crafted untrusted user input is passed into the `underscore` or `unescapeHTML` methods.

## Recommendation

There is currently no direct patch for this vulnerability.

Currently, the best solution is to avoid passing user input to the `underscore` and `unescapeHTML` methods.

Alternatively, a user provided patch is available in [Pull Request #217]( https://github.com/jprichardson/string.js/pull/217/commits/eab9511e4efbc8c521e18b6cf2e8565ae50c5a16), however this patch has not been tested, nor has it been merged by the package author.

Affected Packages

npm string

Affected versions: 0 (last affected: 3.3.3)

Related CVEs

CVE-2017-16116

Key Information

GHSA ID

GHSA-g36h-6r4f-3mqp

Published

July 24, 2018 8:16 PM

Last Modified

September 12, 2023 8:48 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

string

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 30, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.