GHSA-px4h-xg32-q955

Suggest an improvement
Source
https://github.com/advisories/GHSA-px4h-xg32-q955
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-px4h-xg32-q955/GHSA-px4h-xg32-q955.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-px4h-xg32-q955
Aliases
Published
2021-06-08T23:11:43Z
Modified
2023-11-08T04:06:04.745015Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
ReDoS in normalize-url
Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

References

Affected packages

npm / normalize-url

Package

Affected ranges

Type
SEMVER
Events
Introduced
4.3.0
Fixed
4.5.1

Ecosystem specific

{
    "affected_functions": [
        "(normalize-url)"
    ]
}

npm / normalize-url

Package

Affected ranges

Type
SEMVER
Events
Introduced
5.0.0
Fixed
5.3.1

Ecosystem specific

{
    "affected_functions": [
        "(normalize-url)"
    ]
}

npm / normalize-url

Package

Affected ranges

Type
SEMVER
Events
Introduced
6.0.0
Fixed
6.0.1

Ecosystem specific

{
    "affected_functions": [
        "(normalize-url)"
    ]
}