All vulnerabilities
CVE-2017-16137
Regular Expression Denial of Service in debug
Description
Affected versions of debug are vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter.
As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue.
This was later re-introduced in version v3.2.0, and then repatched in versions 3.2.7 and 4.3.1.
Recommendation
Version 2.x.x: Update to version 2.6.9 or later. Version 3.1.x: Update to version 3.1.0 or later. Version 3.2.x: Update to version 3.2.7 or later. Version 4.x.x: Update to version 4.3.1 or later.
Patch Available
Fix available through Seal Security. No upgrade required, protect your application instantly.
Fix without upgrading
Score
3.7
Severity
Low
Ecosystem
Java
Publish Date
August 9, 2018
Modified Date
February 3, 2026
Score Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Affected Versions

