CVE-2025-25283

Name of the Vulnerable Software and Affected Versions: parse-duraton versions prior to 2.1.3

Description: The issue is related to an event loop delay due to the CPU-bound operation of resolving the provided string, which can range from 0.5ms to ~50ms per operation, depending on the size of the input string, which can vary from 0.01 MB to 4.3 MB. Additionally, an out of memory issue can occur due to a string size of roughly 10 MB that utilizes unicode characters, causing a Node.js application to crash. The parse() function in the library is vulnerable to this issue, particularly when using the replace() function, which creates copies of the input in memory.

Recommendations: For versions prior to 2.1.3, update to version 2.1.3, which contains a patch for this issue. As a temporary workaround, consider restricting the size of input strings to prevent excessive delays and out of memory issues. Additionally, implementing rate limits on concurrent requests can help mitigate the impact of this issue on application performance.