Loading HuntDB...

Vulnerability Intelligence by wss.sh

Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News

More Sources

HackerOne Reports

Bug bounty disclosures

WordPress Vulnerabilities

WordPress plugins & themes

Tools & Data

Trending Insights

Popular vulnerabilities

Advanced Search

Filter & search CVEs

Product Inventory

Software & vendors

Sign In Sign Up

GHSA-gxpj-cx7g-858c

GitHub Security Advisory

Regular Expression Denial of Service in debug

✓ GitHub Reviewed LOW Has CVE

Advisory Details

Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter.

As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.

This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.

## Recommendation

Version 2.x.x: Update to version 2.6.9 or later.
Version 3.1.x: Update to version 3.1.0 or later.
Version 3.2.x: Update to version 3.2.7 or later.
Version 4.x.x: Update to version 4.3.1 or later.

Affected Packages

npm debug

Affected versions: 0 (fixed in 2.6.9)

npm debug

Affected versions: 3.0.0 (fixed in 3.1.0)

npm debug

Affected versions: 3.2.0 (fixed in 3.2.7)

npm debug

Affected versions: 4.0.0 (fixed in 4.3.1)

Related CVEs

CVE-2017-16137

Key Information

GHSA ID

GHSA-gxpj-cx7g-858c

Published

August 9, 2018 8:18 PM

Last Modified

March 25, 2024 7:01 PM

CVSS Score

2.5 /10

Primary Ecosystem

npm

Primary Package

debug

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.