Debian Security Advisory

DLA-3247-1 node-trim-newlines -- LTS security update

Date Reported:
23 Dec 2022
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2021-33623.
More information:

It was discovered that there was a potential remote denial of service vulnerability in node-trim-newlines, a Javascript module to strip newlines from the start and/or end of a string.

This regular expression Denial of Service (ReDoS) attack exploited the fact that most Regular Expression implementations can reach extreme situations that cause them to work very slowly in a way that is exponentially related to the input size. An attacker can then cause a program using node-trim-newlines (and thus the offending regex) to enter one of these extreme situations and then hang for a very long time.

  • CVE-2021-33623

    The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

For Debian 10 Buster, these problems have been fixed in version 1.0.0-1+deb10u1.

We recommend that you upgrade your node-trim-newlines packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: