Vulnerabilities > CVE-2021-28092 - Unspecified vulnerability in Is-Svg Project Is-Svg

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

is-svg-project

NVD

Published: 2021-03-12

Updated: 2023-08-08

Summary

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

Vulnerable Configurations

Part	Description	Count
Application	Is-Svg_Project IS SVG Project IS SVG 2.1.0 IS SVG Project IS SVG 3.0.0 IS SVG Project IS SVG 4.0.0 IS SVG Project IS SVG 4.1.0 IS SVG Project IS SVG 4.2.0 IS SVG Project IS SVG 4.2.1	6

References

https://github.com/sindresorhus/is-svg/releases
https://www.npmjs.com/package/is-svg
https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2
https://security.netapp.com/advisory/ntap-20210513-0008/