CVE-2021-23364

NameCVE-2021-23364
DescriptionThe package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs987792

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-browserslist (PTS)buster2.11.3-1vulnerable
bullseye4.16.3+~cs5.4.72-3fixed
bookworm4.21.4+~cs6.1.17-2fixed
sid, trixie4.22.1+~cs6.1.28-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-browserslistsource(unstable)4.16.3+~cs5.4.72-2987792

Notes

[buster] - node-browserslist <ignored> (Minor issue; risky backport with regression potential)
https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
https://github.com/browserslist/browserslist/pull/593
Search for package or bug name: Reporting problems