{"id":"CVE-2021-27290","details":"ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.","aliases":["GHSA-vx3p-948g-6vhq"],"modified":"2026-04-16T04:34:22.316841026Z","published":"2021-03-12T22:15:14.843Z","related":["ALSA-2021:3073","ALSA-2021:3074","SUSE-SU-2021:2319-1","SUSE-SU-2021:2323-1","SUSE-SU-2021:2326-1","SUSE-SU-2021:2327-1","SUSE-SU-2021:2353-1","SUSE-SU-2021:2354-1","SUSE-SU-2021:2618-1","SUSE-SU-2021:2620-1","openSUSE-SU-2021:1059-1","openSUSE-SU-2021:1060-1","openSUSE-SU-2021:1061-1","openSUSE-SU-2021:1113-1","openSUSE-SU-2021:2327-1","openSUSE-SU-2021:2353-1","openSUSE-SU-2021:2354-1","openSUSE-SU-2021:2618-1","openSUSE-SU-2024:11096-1"],"references":[{"type":"WEB","url":"https://npmjs.com"},{"type":"FIX","url":"https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf"},{"type":"FIX","url":"https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"EVIDENCE","url":"https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"55ff3f2503007a859219b5e7f68b0f6ca95225f0"},{"introduced":"0"},{"last_affected":"771d7a8d2b73cf72a2622ca6305dcc9e9306f296"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"20.3.3"},{"introduced":"0"},{"last_affected":"21.2.0"}]}},{"type":"GIT","repo":"https://github.com/npm/ssri","events":[{"introduced":"0fb45e7e0eba615bf0080bf350c95e19412ff9a9"},{"fixed":"b7c8c7c61db89aeb9fbf7596c0ef17071bc216ef"},{"introduced":"9c76e0cf1079a314880078ddfa1dd2b241ba4133"},{"fixed":"3eec7a375a8c7664d4e33c212058313c6fb43c57"}],"database_specific":{"versions":[{"introduced":"5.2.2"},{"fixed":"6.0.2"},{"introduced":"7.0.0"},{"fixed":"8.0.1"}]}}],"versions":["v5.2.2","v5.2.3","v5.2.4","v5.3.0","v6.0.0","v6.0.1","v7.0.0","v7.0.1","v7.1.0","v8.0.0","vm-19.3.0","vm-19.3.0.2","vm-19.3.1","vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-19.3.6","vm-20.0.0","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-20.3.2","vm-20.3.3","vm-21.0.0","vm-21.0.0.2","vm-21.1.0","vm-ce-21.2.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-27290.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"fixed":"1.0.1.1"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}