Skip to main content

Decode Uri Component

2 CVEs product

Monthly

CVE-2026-45822 MEDIUM PATCH This Month

Super-linear algorithmic complexity in the decode-uri-component npm package (versions through 0.4.1) allows unauthenticated network attackers to cause severe CPU exhaustion and block the Node.js event loop by submitting crafted strings with large numbers of percent-encoded tokens. The decode() function splits input on '%' and iteratively invokes decodeComponents() in a pattern producing quadratic or worse time growth - 1,400 '%ab' tokens consume approximately 33 seconds of CPU, rendering single-threaded JavaScript runtimes effectively unresponsive. No public exploit is confirmed at time of analysis (CVSS E:U), but the deterministic algorithmic nature makes payload construction trivial for any attacker with a reachable input channel.

Denial Of Service Decode Uri Component
NVD GitHub
CVSS 4.0
6.6
EPSS
0.3%
CVE-2022-38900 npm HIGH POC PATCH THREAT This Week

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Decode Uri Component
NVD GitHub
CVSS 3.1
7.5
EPSS
24.9%
EPSS 0% CVSS 6.6
MEDIUM PATCH This Month

Super-linear algorithmic complexity in the decode-uri-component npm package (versions through 0.4.1) allows unauthenticated network attackers to cause severe CPU exhaustion and block the Node.js event loop by submitting crafted strings with large numbers of percent-encoded tokens. The decode() function splits input on '%' and iteratively invokes decodeComponents() in a pattern producing quadratic or worse time growth - 1,400 '%ab' tokens consume approximately 33 seconds of CPU, rendering single-threaded JavaScript runtimes effectively unresponsive. No public exploit is confirmed at time of analysis (CVSS E:U), but the deterministic algorithmic nature makes payload construction trivial for any attacker with a reachable input channel.

Denial Of Service Decode Uri Component
NVD GitHub
EPSS 25% CVSS 7.5
HIGH POC PATCH THREAT This Week

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Decode Uri Component
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy