Description
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Recommendation
Update the ssri package to the latest compatible version. Followings are version details:
Affected version(s): **= 8.0.0 >= 7.0.0, < 7.1.1 >= 5.2.2, < 6.0.2** Patched version(s): **8.0.1 7.1.1 6.0.2**
References
- GHSA-vx3p-948g-6vhq
- doyensec.com
- www.npmjs.com
- npmjs.com
- www.oracle.com
- cert-portal.siemens.com
- CVE-2021-27290
- CWE-400
- CAPEC-310
- OWASP 2021-A6
Related Issues
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) (GHSA-545q-3fg6-48m7) - CVE-2021-23346
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346
- jspdf vulnerable to Regular Expression Denial of Service (ReDoS) - CVE-2021-23353
- Regular Expression Denial of Service (ReDoS) in jsx-slack - CVE-2021-43838
- Tags:
- npm
- ssri
Anything's wrong? Let us know Last updated on September 21, 2023