Description
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Recommendation
Update the ssri package to the latest compatible version. Followings are version details:
Affected version(s): **= 8.0.0 >= 7.0.0, < 7.1.1 >= 5.2.2, < 6.0.2** Patched version(s): **8.0.1 7.1.1 6.0.2**
References
- GHSA-vx3p-948g-6vhq
- doyensec.com
- www.npmjs.com
- npmjs.com
- www.oracle.com
- cert-portal.siemens.com
- CVE-2021-27290
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- Nuxt has Client-Side Path Traversal in Nuxt Island Payload Revival - CVE-2025-59414
- Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS) - CVE-2025-8101
- Marked allows Regular Expression Denial of Service (ReDoS) attacks - CVE-2018-25110
- tarteaucitron.js allows url scheme injection via unfiltered inputs - CVE-2025-31476
- Tags:
- npm
- ssri
Anything's wrong? Let us know Last updated on September 21, 2023