CVE-2021-27290

NameCVE-2021-27290
Descriptionssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs985841

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-ssri (PTS)buster5.2.4-2vulnerable
bullseye8.0.1-2fixed
sid, trixie, bookworm9.0.1-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-ssrisource(unstable)8.0.1-1985841

Notes

[buster] - node-ssri <no-dsa> (Minor issue)
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2 (v8.0.1)
Search for package or bug name: Reporting problems