Regular Expression Denial of Service in browserslist

2021-05-2419:52:40

CWE-400

CWE-1333

GitHub Advisory Database

github.com

0.002 Low

EPSS

Percentile

57.1%

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

CPENameOperatorVersion
browserslistlt4.16.5

CPE	Name	Operator	Version
	browserslist	lt	4.16.5

References

github.com/advisories/GHSA-w8qv-6jwh-64r5

github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474

github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98

github.com/browserslist/browserslist/pull/593

nvd.nist.gov/vuln/detail/CVE-2021-23364

snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182

snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194

0.002 Low

EPSS

Percentile

57.1%

Related for GHSA-W8QV-6JWH-64R5