Описание
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Ссылки
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Third Party Advisory
- Product
- Release NotesThird Party Advisory
- Release NotesThird Party Advisory
- Third Party Advisory
- Product
Уязвимые конфигурации
Конфигурация 1Версия от 2.1.0 (включая) до 4.2.1 (включая)
cpe:2.3:a:is-svg_project:is-svg:*:*:*:*:*:node.js:*:*
EPSS
Процентиль: 73%
0.00741
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-1333
Связанные уязвимости
CVSS3: 7.5
redhat
почти 5 лет назад
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
EPSS
Процентиль: 73%
0.00741
Низкий
7.5 High
CVSS3
5 Medium
CVSS2
Дефекты
CWE-1333