Skip to content

ReDoS vulnerability when parsing with ignoreEmpty option

Low
doug-martin published GHSA-8cv5-p934-3hwp Dec 4, 2020

Package

npm fast-csv,@fast-csv/parse (npm)

Affected versions

<v4.3.6

Patched versions

v4.3.6

Description

Impact

Possible ReDoS (Regular Expression Denial of Service) when using ignoreEmpty option when parsing.

Patches

This has been patched in v4.3.6

Workarounds

You will only be affected by this if you use the ignoreEmpty parsing option. If you do use this option it is recommended that you upgrade to the latest version v4.3.6

References

This vulnerability was found using a CodeQL query which identified EMPTY_ROW_REGEXP regular expression as vulnerable.
Link to query run.

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2020-26256

Weaknesses

No CWEs