CVE-2017-16137
Denial of Service vulnerability in debug (npm)

Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2017-16137 About?

This vulnerability in the `debug` package allows for a regular expression denial of service when untrusted user input is passed to the 'o' formatter. Exploiting this can block the event loop, causing service disruptions. However, its low severity rating indicates it requires a significant amount of input to cause a noticeable impact.

Affected Software

  • debug
    • >3.0.0, <3.1.0
    • >4.0.0, <4.3.1
    • <2.6.9
    • >3.2.0, <3.2.7

Technical Details

Affected versions of the debug package are susceptible to a Regular Expression Denial of Service (ReDoS) attack when processing untrusted user input via the o formatter. This occurs because the regular expression used within the formatter exhibits catastrophic backtracking when presented with specific patterns of malformed input. When a lengthy string (e.g., 50,000 characters) containing these problematic patterns is passed to the o formatter, the regex engine becomes computationally intensive, consuming excessive CPU cycles. This prolonged processing blocks the Node.js event loop for an extended period (e.g., 2 seconds), preventing the application from handling other requests or tasks, effectively causing a denial of service. The vulnerability re-emerged in version v3.2.0 and was subsequently patched in versions 3.2.7 and 4.3.1.

What is the Impact of CVE-2017-16137?

Successful exploitation may allow attackers to degrade application performance or cause temporary unresponsiveness, leading to a denial of service for legitimate users.

What is the Exploitability of CVE-2017-16137?

Exploitation of this vulnerability requires an attacker to inject specially crafted untrusted user input into a component that utilizes the debug package's o formatter. The complexity is moderate, as it requires knowledge of the problematic input patterns that trigger catastrophic backtracking. No specific authentication or privilege is required for the attacker to supply this input, assuming the application processes user-controlled data. The attack is typically remote if the application exposes an interface that accepts user input. A significant amount of input (e.g., 50,000 characters) is needed to cause a noticeable impact, which might be a constraint. The risk is increased in applications that extensively log or debug user-provided data directly.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2017-16137?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

This patch changes the way object inspection output is formatted by trimming each line individually instead of removing all whitespace around newlines using a regex. It fixes CVE-2017-16137 by preventing arbitrary code execution that could occur when malicious input with specially crafted newlines and surrounding whitespace is improperly sanitized, thus closing an attack vector for command injection.

Available Upgrade Options

  • debug
    • <2.6.9 → Upgrade to 2.6.9
  • debug
    • >3.0.0, <3.1.0 → Upgrade to 3.1.0
  • debug
    • >3.2.0, <3.2.7 → Upgrade to 3.2.7
  • debug
    • >4.0.0, <4.3.1 → Upgrade to 4.3.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2017-16137?

Similar Vulnerabilities: CVE-2017-16113 , CVE-2018-3720 , CVE-2018-12115 , CVE-2017-16016 , CVE-2020-28280

All Rights reserved 2025
Privacy Policy