Regular Expression Denial of Service in browserslist

Description

The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Recommendation

Update the browserslist package to the latest compatible version. Followings are version details:

• Affected version(s): >= 4.0.0, < 4.16.5
• Patched version(s): 4.16.5

References

• GHSA-w8qv-6jwh-64r5
• snyk.io
• CVE-2021-23364
• CWE-1333
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• MooTools Regular Expression Denial of Service - CVE-2021-32821
• Regular Expression Denial of Service in jsoneditor - CVE-2021-3822
• Regular Expression Denial of Service (ReDoS) - ssri - CVE-2021-27290
• html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

browserslist