Vulnerability Details CVE-2017-16021
uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require("uri-js").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 44.3%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 6.8
References
Products affected by CVE-2017-16021
-
cpe:2.3:a:garycourt:uri-js:1.4.0
-
cpe:2.3:a:garycourt:uri-js:1.4.2
-
cpe:2.3:a:garycourt:uri-js:2.0.0
-
cpe:2.3:a:garycourt:uri-js:2.1.0
-
cpe:2.3:a:garycourt:uri-js:2.1.1