CVE-2021-27290
Regular Expression Denial of Service (ReDoS)
7.5
HIGH
CVSS 3.1
EPSS 2.5%
Description
ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
How to fix CVE-2021-27290
To remediate CVE-2021-27290, upgrade the affected package to a fixed version below.
- —upgrade to 14.16.1-r1 or later
- —upgrade to 8.0.1-1 or later
- —upgrade to 6.0.2 or later
Is CVE-2021-27290 being exploited?
Low — EPSS is 2.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 14.16.1-r1
- from 0, < 8.0.1-1
- >= 5.2.2, < 6.0.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |