Inefficient Regular Expression Complexity

CVE-2025-25283

High

7.5/10

Summary

The parse-duraton is software that allows users to convert a human-readable duration to milliseconds. The parse-duration package versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a `0.5ms` and up to `~50ms` per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes Unicode characters.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

Advisory Timeline

Published Feb 12, 2025

Inefficient Regular Expression Complexity

CVE-2025-25283

Summary

CWE-1333 - Inefficient Regular Expression Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS