CVE-2025-5891

low-risk
Published 2025-06-09

A vulnerability classified as problematic was found in Unitech pm2 up to 6.0.6. This vulnerability affects unknown code of the file /lib/tools/Config.js. The manipulation leads to inefficient regular expression complexity. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Do I need to act?

-
0.37% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Pm2

Affected Vendors

Keymetric

References (6)

Product https://gist.github.com/mmmsssttt404/407e2ffe3e0eaa393ad923a86316a385
Exploit https://github.com/Unitech/pm2/pull/5971
Permissions Required https://vuldb.com/?ctiid.311662
Third Party Advisory https://vuldb.com/?id.311662
Third Party Advisory https://vuldb.com/?submit.585750
Exploit https://github.com/Unitech/pm2/pull/5971
24
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal