GHSA-545q-3fg6-48m7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-545q-3fg6-48m7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-545q-3fg6-48m7/GHSA-545q-3fg6-48m7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-545q-3fg6-48m7
- Aliases
- Published
- 2021-03-18T19:39:31Z
- Modified
- 2025-01-14T08:56:53.391305Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS)
- Details
-
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
- Database specific
{ "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "nvd_published_at": "2021-03-04T17:15:00Z", "github_reviewed_at": "2021-03-12T23:03:51Z", "github_reviewed": true }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-23346
- https://github.com/HenrikJoreteg/html-parse-stringify/commit/c7274a48e59c92b2b7e906fedf9065159e73fe12
- https://github.com/HenrikJoreteg/html-parse-stringify/blob/master/lib/parse.js%23L2
- https://github.com/HenrikJoreteg/html-parse-stringify/releases/tag/v2.0.1
- https://github.com/rayd/html-parse-stringify2/blob/master/lib/parse.js%23L2
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1080633
- https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY-1079306
- https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307
Affected packages
npm / html-parse-stringify
Package
- Name
- html-parse-stringify
- View open source insights on deps.dev
- Purl
- pkg:npm/html-parse-stringify
npm / html-parse-stringify2
Package
- Name
- html-parse-stringify2
- View open source insights on deps.dev
- Purl
- pkg:npm/html-parse-stringify2