CVE-2018-20801 — Regular Expression Denial of Service in highcharts

Description

Versions of `highcharts` prior to 6.1.0 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. ## Recommendation Upgrade to version 6.1.0 or higher.

How to fix CVE-2018-20801

To remediate CVE-2018-20801, upgrade the affected package to a fixed version below.

—upgrade to 6.1.0 or later

Is CVE-2018-20801 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 6.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYgithub.com/advisories/GHSA-xmc8-cjfr-phx3
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-20801
PATCHgithub.com/highcharts/highcharts
WEBgithub.com/highcharts/highcharts/commit/7c547e1e0f5e4379f94396efd559a566668c0dfa