Vulnerability Details CVE-2021-29059
A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.028
EPSS Ranking 85.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md
- https://github.com/yetingli/SaveResults/blob/main/js/is-svg.js
- https://www.npmjs.com/package/is-svg
- https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0
- https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md
- https://github.com/yetingli/SaveResults/blob/main/js/is-svg.js
- https://www.npmjs.com/package/is-svg
Products affected by CVE-2021-29059
-
cpe:2.3:a:is-svg_project:is-svg:2.1.0
-
cpe:2.3:a:is-svg_project:is-svg:3.0.0
-
cpe:2.3:a:is-svg_project:is-svg:4.0.0
-
cpe:2.3:a:is-svg_project:is-svg:4.1.0
-
cpe:2.3:a:is-svg_project:is-svg:4.2.0
-
cpe:2.3:a:is-svg_project:is-svg:4.2.1
-
cpe:2.3:a:is-svg_project:is-svg:4.2.2