CVE-2025-5891: 
JavaScript vulnerability analysis and mitigation

A vulnerability classified as problematic was discovered in Unitech pm2 versions up to 6.0.6, identified as CVE-2025-5891. The vulnerability affects the /lib/tools/Config.js file and involves inefficient regular expression complexity that can be exploited remotely. The vulnerability was disclosed on June 9, 2025, and public exploit code is available (NVD, CVE).

The vulnerability stems from an inefficient regular expression implementation in the Config.js file of the pm2 project. The issue is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-1333 (Inefficient Regular Expression Complexity). The vulnerability has received a CVSS v4.0 score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P, and a CVSS v3.1 score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (NVD).

The vulnerability can lead to Denial of Service (DoS) through excessive CPU consumption when processing specially crafted input. When exploited, it can cause extremely high CPU usage and application freezing, potentially affecting the availability of services running on pm2 (GitHub PR).

A fix has been proposed through a pull request to the pm2 project that addresses the inefficient regular expression implementation. Users are advised to update their pm2 installations once a patched version becomes available (GitHub PR).