decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input.
Metrics
Affected Vendors & Products
References
History
Wed, 01 Jul 2026 10:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Samverschueren
Samverschueren decode-uri-component |
|
| Vendors & Products |
Samverschueren
Samverschueren decode-uri-component |
Wed, 01 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Denial of Service via Exponential Parsing Time in decode‑uri‑component | decode-uri-component: decode-uri-component: Denial of Service via crafted input |
| Weaknesses | CWE-1050 | |
| References |
| |
| Metrics |
threat_severity
|
cvssV3_1
|
Tue, 30 Jun 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 30 Jun 2026 10:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Denial of Service via Exponential Parsing Time in decode‑uri‑component |
Tue, 30 Jun 2026 08:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | decode-uri-component through 0.4.1 is vulnerable to denial of service. The decode() function splits input on '%' producing N tokens and calls decodeComponents(), exhibiting super-linear parsing time: 200 '%ab' tokens takes approximately 0.7s, 700 tokens approximately 6s, and 1400 tokens approximately 33s. An attacker can cause significant CPU consumption and event-loop blocking via crafted input. | |
| Weaknesses | CWE-400 CWE-407 |
|
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: seal
Published: 2026-06-30T08:05:36.399Z
Updated: 2026-06-30T12:49:30.364Z
Reserved: 2026-05-13T12:03:13.545Z
Link: CVE-2026-45822
Updated: 2026-06-30T12:49:26.577Z
No data.