CVE-2021-29469 – redis

Package

Manager: npm
Name: redis
Vulnerable Version: >=2.6.0 <3.1.1

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00622 pctl0.69183

Details

Node-Redis potential exponential regex in monitor mode ### Impact When a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service. ### Patches The problem was fixed in commit [`2d11b6d`](https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e) and was released in version `3.1.1`. ### References #1569 (GHSL-2021-026)

Metadata

Created: 2021-04-27T15:56:03Z
Modified: 2022-08-11T00:21:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-35q2-47q7-3pc3/GHSA-35q2-47q7-3pc3.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-35q2-47q7-3pc3
Finding: F002
Auto approve: 1