Regular Expression Denial of Service in ssri

Description

Version of ssri prior to 5.2.2 are vulnerable to regular expression denial of service (ReDoS) when using strict mode.

Recommendation

Update the ssri package to the latest compatible version. Followings are version details:

• Affected version(s): < 5.2.2
• Patched version(s): 5.2.2

References

• GHSA-325j-24f4-qv5x
• www.npmjs.com
• CVE-2018-7651
• CWE-400
• CAPEC-310
• OWASP 2021-A6

Related Issues

• Unknown vulnerability in Coinbase Wallet SDK - Vulnerability
• ReDoS Vulnerability in ua-parser-js version - CVE-2022-25927
• mpregular vulnerable to prototype pollution - CVE-2025-57323
• node-cube vulnerable to prototype pollution - CVE-2025-57348

Tags:

npm

ssri