PT-2021-17738 · Npm · Is-Svg

Published

2021-03-12

Updated

2023-08-08

CVE-2021-28092

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions: is-svg package versions 2.1.0 through 4.2.1

Description: The issue concerns a Regular Expression Denial of Service (ReDoS) vulnerability in the is-svg package for Node.js. If an attacker provides a malicious string, the package will get stuck processing the input for a very long time. This occurs because the package uses a vulnerable regular expression.

Recommendations: For versions 2.1.0 through 4.2.1, consider updating to a version that fixes the ReDoS vulnerability in the regular expression. As a temporary workaround, consider restricting input to prevent malicious strings from being processed.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

CVE-2021-28092

GHSA-7R28-3M3F-R2PR

Affected Products

Is-Svg

PT-2021-17738 · Npm · Is-Svg

CVE-2021-28092

Weakness Enumeration

Related Identifiers

Affected Products

References · 9