Miggo Logo
Miggo Vulnerability Database
CVE-2020-26256

CVE-2020-26256: Denial of service in fast-csv

5.7

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-26256
GHSA ID
GHSA-8cv5-p934-3hwp
EPSS Score
0.76784%
CWE
CWE-400
Published
12/8/2020
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
fast-csvnpm< 4.3.64.3.6
@fast-csv/parsenpm< 4.3.64.3.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability was identified in the regular expression EMPTY_ROW_REGEXP used for empty row detection. The commit diff shows this regex was removed and replaced with a simpler string manipulation check in RowParser.isEmptyRow. The vulnerable code path was triggered when using the ignoreEmpty parsing option, as confirmed by advisory details and the test case added in the patch. The regex's structure (with nested optional groups and repetitions) makes it susceptible to ReDoS attacks, which aligns with the CWE-400 classification for uncontrolled resource consumption.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Possi*l* R**oS (R**ul*r *xpr*ssion **ni*l o* S*rvi**) w**n usin* `i*nor**mpty` option w**n p*rsin*. ### P*t***s T*is **s ***n p*t**** in `v*.*.*` ### Work*roun*s You will only ** *****t** *y t*is i* you us* t** `i*nor**mpty` p*rsin* opti

Reasoning

T** k*y vuln*r**ility w*s i**nti*i** in t** r**ul*r *xpr*ssion *MPTY_ROW_R***XP us** *or *mpty row **t**tion. T** *ommit *i** s*ows t*is r***x w*s r*mov** *n* r*pl**** wit* * simpl*r strin* m*nipul*tion ****k in RowP*rs*r.is*mptyRow. T** vuln*r**l* *