[wp-trac] [WordPress Trac] #43749: Update zxcvbn to 4.4.2
WordPress Trac
noreply at wordpress.org
Fri Sep 12 08:28:44 UTC 2025
#43749: Update zxcvbn to 4.4.2
-----------------------------------------+-----------------------------
Reporter: desrosj | Owner: (none)
Type: enhancement | Status: assigned
Priority: normal | Milestone: Future Release
Component: External Libraries | Version:
Severity: normal | Resolution:
Keywords: needs-testing needs-refresh | Focuses: javascript
-----------------------------------------+-----------------------------
Comment (by viva.mundo):
Hi! Got this as feedback from a PEN test from a customer:
A vulnerability in this package:
https://security.snyk.io/package/npm/zxcvbn/4.4.1
zxcvbn is a realistic password strength estimation
Affected versions of this package are vulnerable to Regular Expression
Denial of Service (ReDoS) via the repeat_match functionality, due to the
usage of an insecure regex in lazy_anchored variable.
There seems to be a fixed package at https://github.com/zxcvbn-ts/zxcvbn
With migration guide at https://zxcvbn-
ts.github.io/zxcvbn/guide/migration/
--
Ticket URL: <https://core.trac.wordpress.org/ticket/43749#comment:29>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list