Regular Expression Denial of Service in browserslist

Description

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Recommendation

Update the browserslist package to the latest compatible version. Followings are version details:

• Affected version(s): >= 4.0.0, < 4.16.5
• Patched version(s): 4.16.5

References

• GHSA-w8qv-6jwh-64r5
• snyk.io
• CVE-2021-23364
• CWE-1333
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 5 - CVE-2020-8203
• Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 3 - CVE-2020-8203
• Prototype Pollution in lodash (GHSA-p6mc-m468-83gw) 2 - CVE-2020-8203
• IPX Allows Path Traversal via Prefix Matching Bypass - CVE-2025-54387

Tags:

npm

browserslist