CVE-2025-5891
BaseFortify
Publication date: 2025-06-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keymetric | pm2 | to 6.0.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5891 is a Regular Expression Denial of Service (ReDoS) vulnerability in Unitech pm2 up to version 6.0.6. It occurs in the file /lib/tools/Config.js due to an inefficient regular expression that can cause excessive CPU consumption when processing specially crafted input. Attackers can remotely exploit this by embedding malicious code blocks in parsed Markdown, causing the regular expression engine to consume excessive processing time and resources, potentially freezing the application or causing denial of service. [1, 2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service condition by causing the affected application to consume excessive CPU resources, resulting in application freezing or unavailability. Since the attack can be initiated remotely without authentication, it poses a risk to system availability and stability. There are currently no known mitigations other than replacing the affected component, so systems using vulnerable versions of pm2 may be at risk of disruption. [1, 2, 3, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by running the provided proof-of-concept (PoC) code that demonstrates the Regular Expression Denial of Service (ReDoS) attack. The PoC involves executing a JavaScript script that imports the vulnerable validation function and tests it with a large crafted input string to measure excessive processing time. To detect the vulnerability on your system, you can clone the pm2 repository, create a file (e.g., poc.js) with the PoC code, and run it using Node.js. If the validation takes an unusually long time, the system is vulnerable. Specific commands include cloning the repo, creating the PoC file, and running it with Node.js as described in Resource 4. [4]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the fix proposed in the GitHub pull request #5971, which replaces the inefficient regular expression in /lib/tools/Config.js with a more efficient pattern to prevent excessive backtracking and reduce execution time. If patching is not immediately possible, consider replacing the affected component with an alternative product, as no other known countermeasures currently exist. Monitoring for unusual CPU usage and limiting exposure to remote inputs that trigger the vulnerability can also help reduce risk until a fix is applied. [2, 3]