[wp-trac] [WordPress Trac] #43749: Update zxcvbn to 4.4.2
WordPress Trac
noreply at wordpress.org
Tue Oct 7 08:24:38 UTC 2025
#43749: Update zxcvbn to 4.4.2
-----------------------------------------+-----------------------------
Reporter: desrosj | Owner: (none)
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future Release
Component: External Libraries | Version:
Severity: normal | Resolution:
Keywords: needs-testing needs-refresh | Focuses: javascript
-----------------------------------------+-----------------------------
Comment (by La Geek):
https://security.snyk.io/package/npm/zxcvbn/4.4.2
So an update to 4.4.2 is not the solution.
>Affected versions of this package are vulnerable to Regular Expression
Denial of Service (ReDoS) via the repeat_match functionality, due to the
usage of an insecure regex in lazy_anchored variable.
cite from this ticket:
https://core.trac.wordpress.org/ticket/63259#comment:1
> Feedback from the Bavarian "Landesamt für Sicherheit in der
Informationstechnik":
>"The vulnerability only affects the availability of the website in the
client's browser and does not pose a threat to the server side, provided
the affected library is only used on the client side. However, this still
constitutes a violation of the administrative regulation BayITSiR-14,
section 3.4 d), since security patches (including those from third-party
products) must be installed immediately."
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43749#comment:30>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list