Regular Expression Denial of Service (ReDoS) Affecting html-parse-stringify package, versions <2.0.1
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.3% (70th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-HTMLPARSESTRINGIFY-1079306
- published 1 Mar 2021
- disclosed 1 Mar 2021
- credit Yeting Li
Introduced: 1 Mar 2021
CVE-2021-23346 Open this link in a new tabHow to fix?
Upgrade html-parse-stringify
to version 2.0.1 or higher.
Overview
html-parse-stringify is a https://github.com/henrikjoreteg/html-parse-stringify
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS). Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
CVSS Scores
version 3.1