CVE-2021-23364 – browserslist

Package

Manager: npm
Name: browserslist
Vulnerable Version: >=4.0.0 <4.16.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00385 pctl0.58926

Details

Regular Expression Denial of Service in browserslist The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Metadata

Created: 2021-05-24T19:52:40Z
Modified: 2021-05-20T22:03:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-w8qv-6jwh-64r5/GHSA-w8qv-6jwh-64r5.json
CWE IDs: ["CWE-1333", "CWE-400"]
Alternative ID: GHSA-w8qv-6jwh-64r5
Finding: F211
Auto approve: 1