Affected versions of slug are vulnerable to a regular expression denial of service when parsing untrusted user input.

The issue is low severity, as it takes 50,000 characters to cause the event loop to block for 2 seconds,

About 50k characters can block the event loop for 2 seconds.

Recommendation

Update to version 0.9.2 or later.

References

• https://nvd.nist.gov/vuln/detail/CVE-2017-16117
• dodo/node-slug#82
• GHSA-jxqq-cqm6-pfq9
• https://www.npmjs.com/advisories/537