Body Background
TrendAI™ Zero Day Initiative™ Logo

npm mosca Regular Expression Parsing Denial-of-Service Vulnerability

June 13th, 2018
ZDI-18-583 ZDI-CAN-6306

CVE ID

CVE-2018-11615

CVSS Score

7.1 AV:N/AC:M/Au:N/C:N/I:N/A:C

Affected Vendors

npm

Affected Products

mosca

Vulnerability Details


This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash. An attacker can leverage this vulnerability to deny access to the target system.

Additional Details


Fixed in version 2.8.2


Disclosure Timeline

  • 2018-06-01 - Vulnerability reported to vendor
  • 2018-06-13 - Coordinated public release of advisory
  • 2018-06-13 - Advisory Updated

Credit

Federico "phretor" Maggi of Trend Micro Security Research and Davide "_ocean" Quarta

Back to Advisories

Hero Background

Stand at the front line of proactive security

Trend ZDI connects the experts who discover, remediate, and defend.
Add your voice to the work that pushes attackers back.