CVE-2025-25283
📋 TL;DR
The parse-duration library versions before 2.1.3 are vulnerable to denial of service attacks through CPU-bound operations and memory exhaustion. Attackers can cause event loop delays up to 50ms per operation or crash Node.js applications by providing specially crafted large strings. This affects any application using vulnerable versions of parse-duration for duration parsing.
💻 Affected Systems
- parse-duration
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash and denial of service due to out-of-memory conditions from processing ~10MB strings with Unicode characters.
Likely Case
Significant performance degradation and event loop blocking from processing large duration strings, leading to service disruption.
If Mitigated
Minimal impact with proper input validation and rate limiting in place before vulnerable code execution.
🎯 Exploit Status
Exploitation requires ability to provide input to parse-duration function. No authentication bypass needed if application accepts external input.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.3
Vendor Advisory: https://github.com/jkroso/parse-duration/security/advisories/GHSA-hcrg-fc28-fcg5
Restart Required: No
Instructions:
1. Update parse-duration dependency to version 2.1.3 or later. 2. Run 'npm update parse-duration' or update package.json to '^2.1.3'. 3. Test application functionality with duration parsing.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict input validation to reject or truncate excessively long duration strings before passing to parse-duration.
Rate limiting
allImplement rate limiting on endpoints that use parse-duration to prevent rapid exploitation attempts.
🧯 If You Can't Patch
- Implement strict input validation to reject strings longer than reasonable duration formats (e.g., >100 characters).
- Wrap parse-duration calls in timeouts or worker threads to prevent event loop blocking.
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for parse-duration version <2.1.3. Run 'npm list parse-duration' to see installed version.Check Version:
npm list parse-duration | grep parse-durationVerify Fix Applied:
Confirm parse-duration version is 2.1.3 or higher using 'npm list parse-duration'. Test with known problematic large duration strings.📡 Detection & Monitoring
Log Indicators:
- High memory usage spikes
- Application crashes with out-of-memory errors
- Unusually long response times for duration parsing endpoints
Network Indicators:
- Repeated requests with unusually long string parameters to duration-related endpoints
SIEM Query:
source=application_logs AND ("out of memory" OR "heap out of memory") AND process="node"