Fluid Attacks Database

Description

Regular Expression Denial of Service in ssri Version of ssri prior to 5.2.2 are vulnerable to regular expression denial of service (ReDoS) when using strict mode.

Recommendation

Update to version 5.2.2 or later.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	node-ssri	>=0 <5.2.4-1	5.2.4-1
npm	ssri	>=0 <5.2.2	5.2.2
debian 11	node-ssri	>=0 <5.2.4-1	5.2.4-1
debian 13	node-ssri	>=0 <5.2.4-1	5.2.4-1
debian 12	node-ssri	>=0 <5.2.4-1	5.2.4-1

Aliases

1. CVE-2018-76512. NVD-2018-76513. OSV-DEBIAN-2018-76514. OSV-2018-76515. GHSA-325j-24f4-qv5x6. GCVE-2018-76517. SECURITY-TRACKER-CVE-2018-7651

References

1. https://github.com/zkat/ssri/issues/102. https://github.com/zkat/ssri/commit/d0ebcdc22cb5c8f47f89716d08b3518b2485d65d3. https://www.npmjs.com/advisories/565