Vulnerability Details : CVE-2021-23346
Potential exploit
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
Products affected by CVE-2021-23346
- cpe:2.3:a:html-parse-stringify_project:html-parse-stringify:*:*:*:*:*:node.js:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-23346
0.36%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-23346
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
5.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
3.9
|
1.4
|
NIST | |
4.8
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
2.2
|
2.5
|
Snyk |
References for CVE-2021-23346
-
https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY-1079306
Regular Expression Denial of Service (ReDoS) in html-parse-stringify | SnykExploit;Patch;Third Party Advisory
-
https://github.com/rayd/html-parse-stringify2/blob/master/lib/parse.js%23L2
Page not found · GitHub · GitHubBroken Link;Third Party Advisory
-
https://github.com/HenrikJoreteg/html-parse-stringify/commit/c7274a48e59c92b2b7e906fedf9065159e73fe12
fixing reported ReDoS · HenrikJoreteg/html-parse-stringify@c7274a4 · GitHubPatch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JS-HTMLPARSESTRINGIFY2-1079307
Regular Expression Denial of Service (ReDoS) in html-parse-stringify2 | SnykExploit;Patch;Third Party Advisory
-
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1080633
Regular Expression Denial of Service (ReDoS) in org.webjars.npm:html-parse-stringify2 | SnykExploit;Patch;Third Party Advisory
-
https://github.com/HenrikJoreteg/html-parse-stringify/blob/master/lib/parse.js%23L2
Page not found · GitHub · GitHubBroken Link;Third Party Advisory
Jump to