Description
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Recommendation
Update the ssri package to the latest compatible version. Followings are version details:
Affected version(s): **= 8.0.0 >= 7.0.0, < 7.1.1 >= 5.2.2, < 6.0.2** Patched version(s): **8.0.1 7.1.1 6.0.2**
References
- GHSA-vx3p-948g-6vhq
- doyensec.com
- www.npmjs.com
- npmjs.com
- www.oracle.com
- cert-portal.siemens.com
- CVE-2021-27290
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Bootstrap Cross-site Scripting vulnerability (GHSA-pj7m-g53m-7638) - CVE-2018-14041
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- @astrojs/node's trailing slash handling causes open redirect issue - CVE-2025-55207
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Tags:
- npm
- ssri
Anything's wrong? Let us know Last updated on September 21, 2023