CVE-2025-25283: 
JavaScript vulnerability analysis and mitigation

parse-duraton is a software package that allows users to convert human readable duration to milliseconds. A vulnerability was discovered in versions prior to 2.1.3, identified as CVE-2025-25283, which was disclosed on February 12, 2025. The vulnerability affects Node.js applications using the parse-duration package (GitHub Advisory, NVD).

The vulnerability stems from two availability issues related to the regex implementation in the package: an event loop delay caused by CPU-bound operations when resolving provided strings, and potential out-of-memory conditions. The event loop delay ranges from 0.5ms to ~50ms per operation, with input sizes varying from 0.01 MB to 4.3 MB. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The issue is classified as CWE-1333 (Inefficient Regular Expression Complexity) (GitHub Advisory).

The vulnerability can lead to denial of service through two primary mechanisms: 1) Event loop delays causing significant performance degradation, with even small 0.01 MB payloads causing 1ms delays that can compound under concurrent requests, and 2) Application crashes due to out-of-memory conditions, which can be triggered with specially crafted inputs of approximately 10 MB utilizing unicode characters (GitHub Advisory).

The vulnerability has been patched in version 2.1.3 of the parse-duration package. Users are strongly advised to upgrade to this version or later. The fix includes improvements to performance and memory handling, along with safer regular expression implementation (GitHub Release).