CVE-2025-45143
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-10-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devrafalko | string-math | 1.2.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-45143 is a Regex Denial of Service (ReDoS) vulnerability in the npm package string-math version 1.2.2. It occurs due to a vulnerable regular expression in the string-math.js file that, when processing a specially crafted input with repeated null bytes and tab characters, causes excessive backtracking. This leads to the application slowing down significantly or crashing. [1]
How can this vulnerability impact me? :
This vulnerability can cause your application to experience significant performance degradation or crash when processing maliciously crafted inputs. An attacker can exploit this by sending inputs that trigger the vulnerable regex, resulting in denial of service conditions that affect availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the string-math package version 1.2.2 with a crafted input that triggers the vulnerable regex. A suggested approach is to use a Node.js script that measures the processing time of a malicious payload consisting of 5000 tab characters followed by 100 repetitions of "0()". If the processing time is significantly high, it indicates the presence of the ReDoS vulnerability. The test involves calling the stringMath function with this payload and using performance hooks to measure execution time. [1]