GHSA-px4h-xg32-q955

Source

https://github.com/advisories/GHSA-px4h-xg32-q955

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-px4h-xg32-q955/GHSA-px4h-xg32-q955.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-px4h-xg32-q955

Aliases

CVE-2021-33502

Published

2021-06-08T23:11:43Z

Modified

2023-11-08T04:06:04.745015Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

ReDoS in normalize-url

Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Database specific

{
    "nvd_published_at": "2021-05-24T16:15:00Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-28T17:56:25Z"
}

References

Affected packages

npm / normalize-url

Package

Name: normalize-url; View open source insights on deps.dev
Purl: pkg:npm/normalize-url

Affected ranges

Type: SEMVER
Events: Introduced

4.3.0

Fixed

4.5.1

Ecosystem specific

{
    "affected_functions": [
        "(normalize-url)"
    ]
}

npm / normalize-url

Package

Name: normalize-url; View open source insights on deps.dev
Purl: pkg:npm/normalize-url

Affected ranges

Type: SEMVER
Events: Introduced

5.0.0

Fixed

5.3.1

Ecosystem specific

{
    "affected_functions": [
        "(normalize-url)"
    ]
}

npm / normalize-url

Package

Name: normalize-url; View open source insights on deps.dev
Purl: pkg:npm/normalize-url

Affected ranges

Type: SEMVER
Events: Introduced

6.0.0

Fixed

6.0.1

Ecosystem specific

{
    "affected_functions": [
        "(normalize-url)"
    ]
}