NodeJS/ssri/7.1.0
Standard Subresource Integrity library -- parses, serializes, generates, and verifies integrity metadata according to the SRI spec.
https://www.npmjs.com/package/ssri
ISC
1 Security Vulnerabilities
Regular Expression Denial of Service (ReDoS)
Published date: 2021-03-19T21:24:36Z
CVE: CVE-2021-27290
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2021-27290
- https://github.com/advisories/GHSA-vx3p-948g-6vhq
- https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
- https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
- https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
- https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
- https://www.npmjs.com/package/ssri
- https://github.com/npm/ssri/pull/20#issuecomment-842677644
- https://npmjs.com
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
npm ssri 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Affected versions:
["8.0.0", "7.0.0", "7.0.1", "7.1.0", "5.2.2", "5.2.3", "5.2.4", "5.3.0", "6.0.0", "6.0.1"]
Secure versions:
[8.0.1, 6.0.2, 7.1.1, 9.0.0, 9.0.1, 10.0.0, 10.0.1, 10.0.2, 10.0.3, 10.0.4, 10.0.5]
Recommendation:
Update to version 10.0.5.
38 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 10.0.5 | ISC | 2023-08-14 - 18:54 | 8 months | |
| 10.0.4 | ISC | 2023-04-26 - 19:08 | 12 months | |
| 10.0.3 | ISC | 2023-04-11 - 18:51 | about 1 year | |
| 10.0.2 | ISC | 2023-04-04 - 21:55 | about 1 year | |
| 10.0.1 | ISC | 2022-12-07 - 20:32 | over 1 year | |
| 10.0.0 | ISC | 2022-10-14 - 05:22 | over 1 year | |
| 9.0.1 | ISC | 2022-05-19 - 16:24 | almost 2 years | |
| 9.0.0 | ISC | 2022-04-05 - 16:19 | about 2 years | |
| 8.0.1 | ISC | 2021-01-27 - 19:34 | about 3 years | |
| 8.0.0 | ISC | 1 | 2020-02-18 - 01:26 | about 4 years |
| 7.1.1 | ISC | 2021-05-17 - 22:14 | almost 3 years | |
| 7.1.0 | ISC | 1 | 2019-10-24 - 23:57 | over 4 years |
| 7.0.1 | ISC | 1 | 2019-09-30 - 21:04 | over 4 years |
| 7.0.0 | ISC | 1 | 2019-09-18 - 18:35 | over 4 years |
| 6.0.2 | ISC | 2021-04-07 - 20:01 | about 3 years | |
| 6.0.1 | ISC | 1 | 2018-08-27 - 19:53 | over 5 years |
| 6.0.0 | ISC | 1 | 2018-04-09 - 18:19 | about 6 years |
| 5.3.0 | ISC | 1 | 2018-03-13 - 02:25 | about 6 years |
| 5.2.4 | ISC | 1 | 2018-02-16 - 22:46 | about 6 years |
| 5.2.3 | ISC | 1 | 2018-02-16 - 22:39 | about 6 years |
| 5.2.2 | ISC | 1 | 2018-02-14 - 20:38 | about 6 years |
| 5.2.1 | ISC | 1 | 2018-02-07 - 00:07 | about 6 years |
| 5.1.0 | ISC | 1 | 2018-01-18 - 23:56 | about 6 years |
| 5.0.0 | ISC | 1 | 2017-10-23 - 18:24 | over 6 years |
| 4.1.6 | CC0-1.0 | 1 | 2017-06-07 - 22:21 | almost 7 years |
| 4.1.5 | CC0-1.0 | 1 | 2017-06-05 - 21:14 | almost 7 years |
| 4.1.4 | CC0-1.0 | 1 | 2017-05-31 - 04:22 | almost 7 years |
| 4.1.3 | CC0-1.0 | 1 | 2017-05-24 - 23:40 | almost 7 years |
| 4.1.2 | CC0-1.0 | 1 | 2017-04-18 - 09:53 | almost 7 years |
| 4.1.1 | CC0-1.0 | 1 | 2017-04-12 - 04:17 | about 7 years |
| 4.1.0 | CC0-1.0 | 1 | 2017-04-07 - 15:42 | about 7 years |
| 4.0.0 | CC0-1.0 | 1 | 2017-04-03 - 10:37 | about 7 years |
| 3.0.2 | CC0-1.0 | 1 | 2017-04-03 - 05:18 | about 7 years |
| 3.0.1 | CC0-1.0 | 1 | 2017-04-03 - 05:17 | about 7 years |
| 3.0.0 | CC0-1.0 | 1 | 2017-04-03 - 04:45 | about 7 years |
| 2.0.0 | CC0-1.0 | 1 | 2017-03-24 - 07:50 | about 7 years |
| 1.0.0 | CC0-1.0 | 1 | 2017-03-23 - 07:22 | about 7 years |
| 0.0.0 | CC0-1.0 | 1 | 2017-03-23 - 04:56 | about 7 years |