[GHSA-x5gf-qvw8-r2rm] pm2 Regular Expression Denial of Service vulnerability

[mhassan1]

Updates

• Affected products
• CVSS v3
• CVSS v4
• Description
• References
• Severity

Comments
The vulnerable regular expression is present in every version of the library (Unitech/pm2#5971 was reverted in Unitech/pm2@7b022de). This is a follow-up to #5804.

[mhassan1]

I didn't intend to remove these metrics, but the advisory improvement screen forced me to remove them, and I don't see a way to put them back. I've opened an issue about this limitation in the advisory improvement screen: #5357.

[mhassan1]

I didn't intend to increase the severity, but the advisory improvement screen forced me to, and I don't see a way to revert this.

[JonathanLEvans]

As we mentioned in #5804, we do not published advisories without an upper bounds. I can update the upper bound to <= 6.0.14.

Also, the description comes from the CVE. Updating it here will not update it for everyone else. If you want to update the CVE description, you need to contact VulDB at cna@vuldb.com.

[mhassan1]

As we mentioned in #5804, we do not published advisories without an upper bounds.

The problem I see is that someone on future version 6.0.15 may think they are not vulnerable, even though they are (assuming that version doesn't contain a fix). We will need to keep updating this advisory every time there's an unrelated release.

What is the correct way to mark all versions as vulnerable (until there's a patch)?

[advisory-database]

Hi @mhassan1! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[JonathanLEvans]

Hi @mhassan1,

We don't leave the upper bound uncapped so I updated it to <= 6.0.14. If a new version comes out and is still vulnerable, we update the version range in the advisory again.