Regular Expression Denial of Service (ReDoS) Affecting uri-js package, versions <3.0.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.06% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Regular Expression Denial of Service (ReDoS) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDnpm:uri-js:20160804
  • published16 Apr 2017
  • disclosed15 Mar 2016
  • creditPeter Dotchev

Introduced: 15 Mar 2016

CVE-2017-16021  (opens in a new tab)
CWE-400  (opens in a new tab)

How to fix?

Upgrade uri-js to version 3.0.0 or higher.

Overview

uri-js is an RFC 3986/3987 compliant, scheme extendable URI/IRI parsing/validating/resolving library for JavaScript.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when validating URLs.

CVSS Scores

version 3.1