The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input.
{ "github_reviewed_at": "2021-03-15T18:19:52Z", "cwe_ids": [ "CWE-400" ], "nvd_published_at": "2021-03-12T22:15:00Z", "severity": "HIGH", "github_reviewed": true }