Advisory Details

June 13th, 2018

npm mosca Regular Expression Parsing Denial-of-Service Vulnerability

ZDI-18-583
ZDI-CAN-6306

CVE ID CVE-2018-11615
CVSS SCORE 7.1, AV:N/AC:M/Au:N/C:N/I:N/A:C
AFFECTED VENDORS npm
AFFECTED PRODUCTS mosca
VULNERABILITY DETAILS


This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash. An attacker can leverage this vulnerability to deny access to the target system.
ADDITIONAL DETAILS


Fixed in version 2.8.2
DISCLOSURE TIMELINE
  • 2018-06-01 - Vulnerability reported to vendor
  • 2018-06-13 - Coordinated public release of advisory
  • 2018-06-13 - Advisory Updated
CREDIT Federico "phretor" Maggi of Trend Micro Security Research and Davide "_ocean" Quarta
BACK TO ADVISORIES