Skip to content

Regular Expression Denial of Service (ReDoS)

high severity Published Mar 19, 2021 • Updated May 14, 2021

Package

npm is-svg (npm)

Affected versions

>= 2.1.0, < 4.2.2

Patched versions

4.2.2

Description

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

References

CVE ID

CVE-2021-28092

CVSS Score

7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H