CVE-2021-27290

About vulnerability

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.

Affected product:

Acorn , Next.js , Node.js , boxen , cacache , check-updates , cross-spawn , execa , jpm , last-release-npm , loopback , loopback-connector , loopback-connector-remote , loopback-datasource-juggler , loopback-phase , npm-registry-client , os-locale , semantic-release , semver , ssri , strong-globalize , strong-remoting , term-size , uglifyjs-webpack-plugin , update-notifier , webpack , yargs

Affected packages:

semver @ 5.3.0 (+44 more)

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.