CVE-2025-25283 Overview
CVE-2025-25283 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the parse-duration npm package, a popular JavaScript library that converts human-readable duration strings to milliseconds. Versions prior to 2.1.3 are susceptible to event loop delays and memory exhaustion attacks through specially crafted input strings.
The vulnerability stems from inefficient string processing operations that can cause CPU-bound delays ranging from 0.5ms up to ~50ms per operation with varying input sizes from 0.01 MB to 4.3 MB. More critically, an attacker can trigger an out-of-memory condition by supplying a string of approximately 10 MB utilizing unicode characters, potentially crashing the entire Node.js application.
Critical Impact
Attackers can exploit this vulnerability to cause denial of service conditions in Node.js applications, leading to event loop blocking or complete application crashes through memory exhaustion.
Affected Products
- parse-duration versions prior to 2.1.3
- Node.js applications utilizing vulnerable parse-duration versions
- Web applications and APIs processing user-supplied duration strings
Discovery Timeline
- 2025-02-12 - CVE CVE-2025-25283 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-25283
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity), commonly known as ReDoS. The parse-duration library processes user-provided strings to extract duration values and convert them to milliseconds. When processing maliciously crafted input strings, the parsing logic exhibits exponential time complexity, causing the Node.js event loop to become blocked.
The attack can manifest in two primary ways: event loop delay attacks using moderately sized payloads (0.01 MB to 4.3 MB) that cause processing delays of 0.5ms to 50ms per operation, and memory exhaustion attacks using larger payloads (~10 MB) with unicode characters that can crash the application entirely.
Root Cause
The root cause lies in the CPU-bound string resolution operation within the parse-duration library. When the library attempts to resolve specially crafted strings—particularly those containing unicode characters—the processing algorithm exhibits non-linear time complexity. This allows an attacker to consume disproportionate server resources relative to the size of the input, making it an ideal vector for denial of service attacks.
Attack Vector
The vulnerability is exploitable remotely over the network without any authentication or user interaction required. An attacker can target any application endpoint that accepts duration strings and passes them to the vulnerable parse-duration function. This includes REST APIs, form inputs, configuration endpoints, or any interface that processes time-related user input.
The attack is particularly dangerous in high-traffic environments where multiple malicious requests could be submitted simultaneously, amplifying the denial of service effect and potentially exhausting server resources across multiple concurrent connections.
Detection Methods for CVE-2025-25283
Indicators of Compromise
- Abnormally high CPU utilization on Node.js processes handling duration parsing
- Increased memory consumption in application servers processing user input
- Node.js application crashes with out-of-memory errors
- Slow API response times or timeouts on endpoints accepting duration parameters
- Event loop lag metrics showing significant delays (>50ms)
Detection Strategies
- Monitor Node.js event loop lag metrics for sudden spikes indicating blocking operations
- Implement application performance monitoring (APM) to track duration parsing operation times
- Set up alerting for Node.js process crashes with heap allocation failure errors
- Use software composition analysis (SCA) tools to identify vulnerable parse-duration versions in dependencies
Monitoring Recommendations
- Configure alerts for Node.js memory usage exceeding normal operational thresholds
- Monitor request payloads for unusually large duration string inputs (>1MB)
- Track application restart frequency to detect crash-and-restart patterns
- Implement logging for duration parsing operations that exceed expected completion times
How to Mitigate CVE-2025-25283
Immediate Actions Required
- Upgrade parse-duration to version 2.1.3 or later immediately
- Review application endpoints that accept duration string inputs for exposure
- Implement input validation to limit the size of duration strings before processing
- Consider adding request timeout protections to prevent long-running parsing operations
Patch Information
The vulnerability has been patched in parse-duration version 2.1.3. The fix addresses the inefficient string processing that allowed CPU exhaustion and memory overflow attacks. Organizations should update their dependencies to this version or later.
For detailed information about the patch, refer to the GitHub commit and the official release notes for v2.1.3. Additional security details are available in the GitHub Security Advisory GHSA-hcrg-fc28-fcg5.
Workarounds
- Implement input length validation to reject duration strings exceeding a reasonable size threshold (e.g., 1KB)
- Add timeouts around duration parsing operations to prevent extended blocking
- Deploy rate limiting on endpoints that process duration inputs to reduce attack surface
- Consider running duration parsing in a separate worker thread to isolate potential crashes from the main application
# Update parse-duration to patched version
npm update parse-duration@2.1.3
# Or explicitly install the patched version
npm install parse-duration@^2.1.3
# Verify installed version
npm list parse-duration
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
