CVE-2021-27290

ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
ssri_projectssri
5.2.2 ≤
𝑥
< 6.0.2
ssri_projectssri
7.0.0 ≤
𝑥
< 8.0.1
oraclegraalvm
20.3.3
oraclegraalvm
21.2.0
siemenssinec_infrastructure_network_services
𝑥
< 1.0.1.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
node-ssri
bookworm
9.0.1-2
fixed
bullseye
8.0.1-2
fixed
buster
no-dsa
sid
9.0.1-3
fixed
trixie
9.0.1-3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
node-ssri
bionic
not-affected
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
jammy
needed
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
nodejs-common
suse enterprise sap 15
2.0-3.2.1
fixed
suse enterprise sap 15 SP1
2.0-3.2.1
fixed
suse enterprise sap 15 SP2
2.0-3.2.1
fixed
suse enterprise server 15
2.0-3.2.1
fixed
suse enterprise server 15 SP1
2.0-3.2.1
fixed
suse enterprise server 15 SP2
2.0-3.2.1
fixed
nodejs10
suse enterprise sap 15
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP1
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP2
10.24.1-1.36.1
fixed
suse enterprise server 15
10.24.1-1.36.1
fixed
suse enterprise server 15 SP1
10.24.1-1.36.1
fixed
suse enterprise server 15 SP2
10.24.1-1.36.1
fixed
nodejs10-devel
suse enterprise sap 15
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP1
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP2
10.24.1-1.36.1
fixed
suse enterprise server 15
10.24.1-1.36.1
fixed
suse enterprise server 15 SP1
10.24.1-1.36.1
fixed
suse enterprise server 15 SP2
10.24.1-1.36.1
fixed
nodejs10-docs
suse enterprise sap 15
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP1
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP2
10.24.1-1.36.1
fixed
suse enterprise server 15
10.24.1-1.36.1
fixed
suse enterprise server 15 SP1
10.24.1-1.36.1
fixed
suse enterprise server 15 SP2
10.24.1-1.36.1
fixed
nodejs12
suse enterprise sap 15 SP2
12.22.2-4.16.1
fixed
suse enterprise sap 15 SP3
12.22.2-4.16.1
fixed
suse enterprise server 15 SP2
12.22.2-4.16.1
fixed
suse enterprise server 15 SP3
12.22.2-4.16.1
fixed
nodejs12-devel
suse enterprise sap 15 SP2
12.22.2-4.16.1
fixed
suse enterprise sap 15 SP3
12.22.2-4.16.1
fixed
suse enterprise server 15 SP2
12.22.2-4.16.1
fixed
suse enterprise server 15 SP3
12.22.2-4.16.1
fixed
nodejs12-docs
suse enterprise sap 15 SP2
12.22.2-4.16.1
fixed
suse enterprise sap 15 SP3
12.22.2-4.16.1
fixed
suse enterprise server 15 SP2
12.22.2-4.16.1
fixed
suse enterprise server 15 SP3
12.22.2-4.16.1
fixed
nodejs14
suse enterprise sap 15 SP2
14.17.2-5.12.1
fixed
suse enterprise sap 15 SP3
14.17.2-5.12.1
fixed
suse enterprise server 15 SP2
14.17.2-5.12.1
fixed
suse enterprise server 15 SP3
14.17.2-5.12.1
fixed
nodejs14-devel
suse enterprise sap 15 SP2
14.17.2-5.12.1
fixed
suse enterprise sap 15 SP3
14.17.2-5.12.1
fixed
suse enterprise server 15 SP2
14.17.2-5.12.1
fixed
suse enterprise server 15 SP3
14.17.2-5.12.1
fixed
nodejs14-docs
suse enterprise sap 15 SP2
14.17.2-5.12.1
fixed
suse enterprise sap 15 SP3
14.17.2-5.12.1
fixed
suse enterprise server 15 SP2
14.17.2-5.12.1
fixed
suse enterprise server 15 SP3
14.17.2-5.12.1
fixed
nodejs8
suse enterprise sap 15
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP1
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP2
8.17.0-10.12.2
fixed
suse enterprise server 15
8.17.0-3.47.2
fixed
suse enterprise server 15 SP1
8.17.0-3.47.2
fixed
suse enterprise server 15 SP2
8.17.0-10.12.2
fixed
nodejs8-devel
suse enterprise sap 15
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP1
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP2
8.17.0-10.12.2
fixed
suse enterprise server 15
8.17.0-3.47.2
fixed
suse enterprise server 15 SP1
8.17.0-3.47.2
fixed
suse enterprise server 15 SP2
8.17.0-10.12.2
fixed
nodejs8-docs
suse enterprise sap 15
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP1
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP2
8.17.0-10.12.2
fixed
suse enterprise server 15
8.17.0-3.47.2
fixed
suse enterprise server 15 SP1
8.17.0-3.47.2
fixed
suse enterprise server 15 SP2
8.17.0-10.12.2
fixed
npm10
suse enterprise sap 15
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP1
10.24.1-1.36.1
fixed
suse enterprise sap 15 SP2
10.24.1-1.36.1
fixed
suse enterprise server 15
10.24.1-1.36.1
fixed
suse enterprise server 15 SP1
10.24.1-1.36.1
fixed
suse enterprise server 15 SP2
10.24.1-1.36.1
fixed
npm12
suse enterprise sap 15 SP2
12.22.2-4.16.1
fixed
suse enterprise sap 15 SP3
12.22.2-4.16.1
fixed
suse enterprise server 15 SP2
12.22.2-4.16.1
fixed
suse enterprise server 15 SP3
12.22.2-4.16.1
fixed
npm14
suse enterprise sap 15 SP2
14.17.2-5.12.1
fixed
suse enterprise sap 15 SP3
14.17.2-5.12.1
fixed
suse enterprise server 15 SP2
14.17.2-5.12.1
fixed
suse enterprise server 15 SP3
14.17.2-5.12.1
fixed
npm8
suse enterprise sap 15
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP1
8.17.0-3.47.2
fixed
suse enterprise sap 15 SP2
8.17.0-10.12.2
fixed
suse enterprise server 15
8.17.0-3.47.2
fixed
suse enterprise server 15 SP1
8.17.0-3.47.2
fixed
suse enterprise server 15 SP2
8.17.0-10.12.2
fixed
References
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
https://npmjs.com
https://www.oracle.com/security-alerts/cpuoct2021.html
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
https://npmjs.com
https://www.oracle.com/security-alerts/cpuoct2021.html