Skip to content

fix: Upgrade ms from 0.7.1 to 2.0.0 to remediate CVE-2017-20162#28

Draft
galanko wants to merge 1 commit into
masterfrom
opensec/fix/ms-0.7.1-cve-2017-20162
Draft

fix: Upgrade ms from 0.7.1 to 2.0.0 to remediate CVE-2017-20162#28
galanko wants to merge 1 commit into
masterfrom
opensec/fix/ms-0.7.1-cve-2017-20162

Conversation

@galanko
Copy link
Copy Markdown

@galanko galanko commented May 15, 2026

Summary

Automated remediation for trivy finding: Vercel ms Inefficient Regular Expression Complexity vulnerability (CVE-2017-20162)

Changes

  • Added direct dependency on ms@2.0.0 to package.json to override vulnerable transitive dependency (ms@0.7.1)
  • Ran npm install to update package-lock.json with new dependency tree

Rationale

The vulnerable ms@0.7.1 was used as a transitive dependency via connect (used by helmet) and other packages. By adding ms@2.0.0 as a direct dependency, we ensure the patched version takes precedence in the dependency resolution.

Vulnerability Details

  • Vulnerability: Regular Expression Denial of Service (ReDoS) in ms.parse() function
  • CVE: CVE-2017-20162
  • CVSS: 5.3
  • Fix Version: 2.0.0
  • Previous Version: 0.7.1

Testing

The application does not directly use ms.parse(), so the upgrade should not affect application behavior. The ms package is only used by other libraries for debug logging and timing utilities.

Generated by OpenSec remediation agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@galanko