A vulnerability has been reported: CVE-2021-29059

[mfranzke]

A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Source: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-29059

I'm not an expert in this kind of vulnerabilities, but I've recognized the warnings coming up and wanted to let you know as I've recognized that this topic hasn't been mentioned and/or discussed here.

[sindresorhus]

I was not aware of that one. Thanks for letting me know.

[sindresorhus]

@yetingli It's quite unprofessional to publish a CVE without consulting with the maintainer first. I replied to your email and never got a response. The CVE also has an incorrect version range. It should be 2.1.0 to 4.2.2. Please correct this ASAP.

[yetingli]

@yetingli It's quite unprofessional to publish a CVE without consulting with the maintainer first. I replied to your email and never got a response. The CVE also has an incorrect version range. It should be 2.1.0 to 4.2.2. Please correct this ASAP.

Thank you for reminding me. I released a CVE because these issues had been fixed. My original intention was to hope that everyone can use your package is-svg more safely. If you mind, I will apply to abolish this CVE.

Besides, I would like to kindly remind you that even though a regex has the polynomial (i.e., not exponential) complexity, it also has a ReDoS vulnerability, such as Stack Overflow 2016 Outage.

Warmest regards,
Yeting

[sindresorhus]

I'm ok with keeping it, but the version range should be fixed.

[yetingli]

I will change this version range ASAP. Thank you and have a nice day.

[yetingli]

I will change this version range ASAP. Thank you and have a nice day.

this is done