CVE-2025-25283

CVE-2025-25283 affects the parse-duration npm package, a Node.js library for converting human-readable duration strings to milliseconds. Versions prior to 2.1.3 are vulnerable to denial-of-service (DoS) attacks stemming from a CPU-bound parsing operation that causes event loop delays ranging from 0.5ms to approximately 50ms per operation, depending on input string sizes from 0.01 MB to 4.3 MB. Additionally, inputs around 10 MB using Unicode characters can trigger out-of-memory conditions, crashing the host Node.js application. The vulnerability is classified under CWE-1333 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated remote attacker can exploit this vulnerability by supplying specially crafted duration strings to an application using the affected parse-duration versions, such as through user-controlled inputs in web APIs or other network-facing endpoints. Successful exploitation results in partial or full DoS: event loop blocking degrades performance under load, while sufficiently large Unicode-heavy strings cause memory exhaustion and application crashes, disrupting service availability without requiring privileges or user interaction.

The GitHub security advisory (GHSA-hcrg-fc28-fcg5), release notes for v2.1.3, and the patching commit (9e88421bfd41806fa4b473bfb28a9ee9dafc27d7) confirm that upgrading to version 2.1.3 resolves the issues by addressing the inefficient parsing logic. Security practitioners should audit dependencies for vulnerable parse-duration instances, apply the patch promptly in Node.js projects, and consider input validation or size limits as interim mitigations.