Cyber Resilience

CVE-2025-25283

High

Published: 12 February 2025

Published
12 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-25283 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-25283 affects the parse-duration npm package, a Node.js library for converting human-readable duration strings to milliseconds. Versions prior to 2.1.3 are vulnerable to denial-of-service (DoS) attacks stemming from a CPU-bound parsing operation that causes event loop delays ranging from 0.5ms to approximately 50ms per operation, depending on input string sizes from 0.01 MB to 4.3 MB. Additionally, inputs around 10 MB using Unicode characters can trigger out-of-memory conditions, crashing the host Node.js application. The vulnerability is classified under CWE-1333 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any unauthenticated remote attacker can exploit this vulnerability by supplying specially crafted duration strings to an application using the affected parse-duration versions, such as through user-controlled inputs in web APIs or other network-facing endpoints. Successful exploitation results in partial or full DoS: event loop blocking degrades performance under load, while sufficiently large Unicode-heavy strings cause memory exhaustion and application crashes, disrupting service availability without requiring privileges or user interaction.

The GitHub security advisory (GHSA-hcrg-fc28-fcg5), release notes for v2.1.3, and the patching commit (9e88421bfd41806fa4b473bfb28a9ee9dafc27d7) confirm that upgrading to version 2.1.3 resolves the issues by addressing the inefficient parsing logic. Security practitioners should audit dependencies for vulnerable parse-duration instances, apply the patch promptly in Node.js projects, and consider input validation or size limits as interim mitigations.

EU & UK References

Vulnerability details

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up…

more

to ~50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB respectively, and an out of memory that would crash a running Node.js application due to a string size of roughly 10 MB that utilizes unicode characters. Version 2.1.3 contains a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote unauthenticated DoS via crafted inputs exploiting inefficient parsing logic in the library, directly enabling application or system exploitation to cause event loop blocking, resource exhaustion, and crashes (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-46242Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2024-41766Shared CWE-1333
CVE-2026-4867Shared CWE-1333
CVE-2025-10990Shared CWE-1333
CVE-2026-27904Shared CWE-1333
CVE-2026-30925Shared CWE-1333
CVE-2026-22178Shared CWE-1333
CVE-2026-23956Shared CWE-1333
CVE-2026-1388Shared CWE-1333

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching of the vulnerable parse-duration library to version 2.1.3 directly eliminates the inefficient CPU-bound parsing and out-of-memory flaws causing DoS.

prevent

Validating human-readable duration string inputs prevents processing of specially crafted strings that trigger event loop delays or memory exhaustion.

prevent

Enforcing size and type restrictions on duration string inputs blocks oversized Unicode-heavy payloads that lead to application crashes.

References