CVE-2020-26256 - OpenCVE

Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:S/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
C2fo	Fast-csv

Configuration 1 [-]

cpe:2.3:a:c2fo:fast-csv:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e
https://github.com/C2FO/fast-csv/issues/540
https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp
https://lgtm.com/query/8609731774537641779/
https://www.npmjs.com/package/%40fast-csv/parse
https://www.npmjs.com/package/fast-csv

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2020-12-08T21:45:19

Updated: 2024-08-04T15:56:03.099Z

Reserved: 2020-10-01T00:00:00

Link: CVE-2020-26256

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-12-08T22:15:17.540

Modified: 2023-11-07T03:20:32.000

Link: CVE-2020-26256

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "fast-csv", "vendor": "C2FO", "versions": [{"status": "affected", "version": "< 4.3.6"}]}], "descriptions": [{"lang": "en", "value": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-12-08T21:45:19", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp"}, {"tags": ["x_refsource_MISC"], "url": "https://lgtm.com/query/8609731774537641779/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/C2FO/fast-csv/issues/540"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/%40fast-csv/parse"}, {"tags": ["x_refsource_MISC"], "url": "https://www.npmjs.com/package/fast-csv"}], "source": {"advisory": "GHSA-8cv5-p934-3hwp", "discovery": "UNKNOWN"}, "title": "Denial of service in fast-csv", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-26256", "STATE": "PUBLIC", "TITLE": "Denial of service in fast-csv"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "fast-csv", "version": {"version_data": [{"version_value": "< 4.3.6"}]}}]}, "vendor_name": "C2FO"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-400 Uncontrolled Resource Consumption"}]}]}, "references": {"reference_data": [{"name": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp", "refsource": "CONFIRM", "url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp"}, {"name": "https://lgtm.com/query/8609731774537641779/", "refsource": "MISC", "url": "https://lgtm.com/query/8609731774537641779/"}, {"name": "https://github.com/C2FO/fast-csv/issues/540", "refsource": "MISC", "url": "https://github.com/C2FO/fast-csv/issues/540"}, {"name": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e", "refsource": "MISC", "url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e"}, {"name": "https://www.npmjs.com/package/@fast-csv/parse", "refsource": "MISC", "url": "https://www.npmjs.com/package/@fast-csv/parse"}, {"name": "https://www.npmjs.com/package/fast-csv", "refsource": "MISC", "url": "https://www.npmjs.com/package/fast-csv"}]}, "source": {"advisory": "GHSA-8cv5-p934-3hwp", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:56:03.099Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lgtm.com/query/8609731774537641779/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/C2FO/fast-csv/issues/540"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/%40fast-csv/parse"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.npmjs.com/package/fast-csv"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-26256", "datePublished": "2020-12-08T21:45:19", "dateReserved": "2020-10-01T00:00:00", "dateUpdated": "2024-08-04T15:56:03.099Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:c2fo:fast-csv:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "38FF4853-5265-411D-91CC-D0137CBE216E", "versionEndExcluding": "4.3.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fast-csv is an npm package for parsing and formatting CSVs or any other delimited value file in node. In fast-cvs before version 4.3.6 there is a possible ReDoS vulnerability (Regular Expression Denial of Service) when using ignoreEmpty option when parsing. This has been patched in `v4.3.6` You will only be affected by this if you use the `ignoreEmpty` parsing option. If you do use this option it is recommended that you upgrade to the latest version `v4.3.6` This vulnerability was found using a CodeQL query which identified `EMPTY_ROW_REGEXP` regular expression as vulnerable."}, {"lang": "es", "value": "Fast-csv es un paquete npm para analizar y formatear CSV o cualquier otro archivo de valor delimitado en node. En fast-cvs anterior a versi\u00f3n 4.3.6, se presenta una posible vulnerabilidad ReDoS (Denegaci\u00f3n de servicio de expresi\u00f3n regular) cuando se usa la opci\u00f3n ignoreEmpty al analizar. Esto ha sido parcheado en versi\u00f3n \"v4.3.6\" Solo se ver\u00e1 afectado por esto si utiliza la opci\u00f3n de an\u00e1lisis \"ignoreEmpty\". Si usa esta opci\u00f3n, se recomienda que actualice a la \u00faltima versi\u00f3n \"v4.3.6\". Esta vulnerabilidad se encontr\u00f3 usando una consulta CodeQL que identific\u00f3 la expresi\u00f3n regular \"EMPTY_ROW_REGEXP\" como vulnerable"}], "id": "CVE-2020-26256", "lastModified": "2023-11-07T03:20:32.000", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2020-12-08T22:15:17.540", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/C2FO/fast-csv/commit/4bbd39f26a8cd7382151ab4f5fb102234b2f829e"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/C2FO/fast-csv/issues/540"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/C2FO/fast-csv/security/advisories/GHSA-8cv5-p934-3hwp"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://lgtm.com/query/8609731774537641779/"}, {"source": "security-advisories@github.com", "url": "https://www.npmjs.com/package/%40fast-csv/parse"}, {"source": "security-advisories@github.com", "tags": ["Product", "Third Party Advisory"], "url": "https://www.npmjs.com/package/fast-csv"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "security-advisories@github.com", "type": "Secondary"}]}