CVE-2023-26115
is CVE-2023-26115real, exploitable, or a false positive? Here's the community ground truth.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.
References
Published
Embed this verdict
[](https://www.truepositive.app/cve/CVE-2023-26115)<a href="https://www.truepositive.app/cve/CVE-2023-26115"><img src="https://www.truepositive.app/cve/CVE-2023-26115/badge.svg" alt="TruePositive verdict for CVE-2023-26115"></a>Live badge — updates automatically as the community verdict changes.
Community ground truth
Community verdict
3 verdictsIncludes TruePositive's curated baseline from public sources — community verdicts accrue on top.
to add your verdict.
Practitioners rate this lower than its CVSS — likely over-rated by the score.
Field notes & remediation
Verdicts are the quick signal — notes are the evidence and fixes behind them.
- 0
Regex denial-of-service in the
word-wrapformatting utility. To exploit it an attacker must control the string being wrapped — butword-wrapis used for CLI/log/help-text formatting, not on untrusted network input, so the malicious payload essentially never reaches it. It became the poster child fornpm auditfatigue: thousands of teams opened tickets for a transitive dev-dependency finding with no realistic impact.Sources: GitHub advisory GHSA-j8xg-fqg3-53r7 · NVD.
- 0
Bump
word-wrapto 1.2.4+ to clear the audit noise (a one-line lockfile change). Don't treat it as an incident — for typical usage the real-world risk is negligible.