GitHub Advisory DatabaseGHSA-VX3P-948G-6VHQRegular Expression Denial of Service (ReDoS)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
63.9%
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
References
cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
github.com/advisories/GHSA-vx3p-948g-6vhq
github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
github.com/npm/ssri/pull/20#issuecomment-842677644
github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
npmjs.com
nvd.nist.gov/vuln/detail/CVE-2021-27290
www.npmjs.com/package/ssri
www.oracle.com/security-alerts/cpuoct2021.html
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
63.9%