CVE-2021-29469

NameCVE-2021-29469
DescriptionNode-redis is a Node.js Redis client. Before version 3.1.1, when a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. The issue is patched in version 3.1.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-redis (PTS)bullseye3.0.2+~cs5.18.1-3fixed
bookworm4.5.1+~1.1.2-1fixed
sid, trixie4.5.1+~1.1.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-redissourcebuster2.8.0-1+deb10u1
node-redissource(unstable)3.0.2+~cs5.18.1-3

Notes

https://github.com/NodeRedis/node-redis/issues/1569
https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3
https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e
Search for package or bug name: Reporting problems