CVE-2018-25074: skeemas Inefficient Regular Expression Complexity vulnerability
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.1578%
CWE
Published
1/11/2023
Updated
10/20/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
skeemas | npm | < 1.2.5 | 1.2.5 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is clearly tied to the 'uri' validator regex shown in the commit diff. The patch modified the regex pattern from '(/?(?:[a-z0-9-.~!$&'()*+,;=:@]|%[0-9A-F]{2})+)' to '(/?(?:[a-z0-9-.~!$&'()+,;=:@]|%[0-9A-F]{2})(?:[...]))', specifically addressing the inefficient quantifier usage. This regex is part of the format validators defined in base.js, which are used for schema validation. The CWE-1333 classification and commit message confirming ReDoS resolution provide high confidence in this assessment.