Miggo Logo

CVE-2019-17592: Regular Expression Denial of Service in csv-parse

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.67831%
Published
10/15/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
csv-parsenpm< 4.4.64.4.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was explicitly tied to the isInt function in multiple sources, including NVD descriptions and the GitHub commit that removed it. The commit diff shows removal of the vulnerable regex pattern /^(-|+)?([1-9]+[0-9]*)$/ which contains a dangerous 'repetition of repetition' structure. The added test case with 3 million '1' characters confirms the attack vector. Both file locations (ES5 and modern JS implementations) contained identical vulnerable logic before patching.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*rsions o* `*sv-p*rs*` prior to *.*.* *r* vuln*r**l* to R**ul*r *xpr*ssion **ni*l o* S*rvi**. T** `__isInt()` *un*tion *ont*ins * m*l*orm** r**ul*r *xpr*ssion t**t pro**ss*s l*r** sp**i*lly-*r**t** input v*ry slowly, l***in* to * **ni*l o* S*rvi**.

Reasoning

T** vuln*r**ility w*s *xpli*itly ti** to t** `isInt` *un*tion in multipl* sour**s, in*lu*in* NV* **s*riptions *n* t** *it*u* *ommit t**t r*mov** it. T** *ommit *i** s*ows r*mov*l o* t** vuln*r**l* r***x p*tt*rn /^(\-|\+)?([*-*]+[*-*]*)$/ w*i** *ont*i