CVE-2025-25283

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-25283
parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains a patch.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/jkroso/parse-duration/commit/9e88421bfd41806fa4b473bfb28a9ee9dafc27d7
https://github.com/jkroso/parse-duration/releases/tag/v2.1.3
https://github.com/jkroso/parse-duration/security/advisories/GHSA-hcrg-fc28-fcg5
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) parse-duraton es un software que permite a los usuarios convertir una duración legible para humanos en milisegundos. Las versiones anteriores a la 2.1.3 son vulnerables a un retraso en el bucle de eventos debido a la operación limitada por la CPU de resolver la cadena proporcionada, desde 0,5 ms hasta ~50 ms por operación, con un tamaño variable desde 0,01 MB hasta 4,3 MB respectivamente, y una falta de memoria que bloquearía una aplicación Node.js en ejecución debido a un tamaño de cadena de aproximadamente 10 MB que utiliza caracteres Unicode. La versión 2.1.3 contiene un parche.

12 Feb 2025, 19:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-12 19:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-25283

Mitre link : CVE-2025-25283

CVE.ORG link : CVE-2025-25283

JSON object : View

Products Affected

No product.

CWE
CWE-1333

Inefficient Regular Expression Complexity