Vulnerability Details CVE-2021-28092
The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.007
EPSS Ranking 72.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/sindresorhus/is-svg/releases
- https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2
- https://security.netapp.com/advisory/ntap-20210513-0008/
- https://www.npmjs.com/package/is-svg
- https://github.com/sindresorhus/is-svg/releases
- https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2
- https://security.netapp.com/advisory/ntap-20210513-0008/
- https://www.npmjs.com/package/is-svg
Products affected by CVE-2021-28092
-
cpe:2.3:a:is-svg_project:is-svg:2.1.0
-
cpe:2.3:a:is-svg_project:is-svg:3.0.0
-
cpe:2.3:a:is-svg_project:is-svg:4.0.0
-
cpe:2.3:a:is-svg_project:is-svg:4.1.0
-
cpe:2.3:a:is-svg_project:is-svg:4.2.0
-
cpe:2.3:a:is-svg_project:is-svg:4.2.1