Skip to content

Regular Expression Denial of Service (ReDoS)

high severity Published Mar 19, 2021 • Updated Oct 21, 2021

Package

npm ssri (npm)

Affected versions

>= 5.2.2, < 6.0.2
>= 7.0.0, < 7.1.1
= 8.0.0

Patched versions

6.0.2
7.1.1
8.0.1

Description

npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

References

CVE ID

CVE-2021-27290

CVSS Score

7.5 High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H