CVE-2015-9239

Name of the Vulnerable Software and Affected Versions ansi2html versions prior to a fixed version (no specific fixed version mentioned)

Description The issue is related to a regular expression denial of service (ReDoS) vulnerability. When certain types of user input are passed in, it can cause a denial of service. The estimated time to parse the input string grows significantly with the size of the input, making it unlikely to allow strings of a useful size while protecting against the denial of service attack.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding passing user input to the ansi2html package, or limit the size of the input string to a size with a parse time you find acceptable. In the case that user input of significant length must be parsed by ansi2html, the best mitigation is to use an alternative module that provides similar functionality.