Yeting Li

CVE List

  1. CVE-2021-40901: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scniro-validator version v1.0.1 when validating crafted invalid emails.
  2. CVE-2021-40900: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in regexfn version v1.0.5 when validating crafted invalid emails.
  3. CVE-2021-40899: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in repo-git-downloader version v0.1.1 when downloading crafted invalid git repositories.
  4. CVE-2021-40898: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in scaffold-helper version v1.2.0 when copying crafted invalid files.
  5. CVE-2021-40897: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in split-html-to-chars version v1.0.5 when splitting crafted invalid htmls.
  6. CVE-2021-40896: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in that-value version v0.1.3 when validating crafted invalid emails.
  7. CVE-2021-40895: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in todo-regex version v0.1.1 when matching crafted invalid TODO statements.
  8. CVE-2021-40894: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in underscore-99xp version v1.7.2 when the deepValueSearch function is called.
  9. CVE-2021-40893: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-data version v0.1.1 when validating crafted invalid emails.
  10. CVE-2021-40892: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validate-color version v2.1.0 when handling crafted invalid rgb(a) strings.
  11. CVE-2021-23663: All versions of package sey are vulnerable to Prototype Pollution via the deepmerge() function.
  12. CVE-2021-23561: All versions of package comb are vulnerable to Prototype Pollution via the deepMerge() function.
  13. CVE-2021-23797: All versions of package http-server-node are vulnerable to Directory Traversal via use of --path-as-is.
  14. CVE-2021-23700: All versions of package merge-deep2 are vulnerable to Prototype Pollution via the mergeDeep() function.
  15. CVE-2021-3801: prism is vulnerable to Inefficient Regular Expression Complexity.
  16. CVE-2021-3810: code-server is vulnerable to Inefficient Regular Expression Complexity.
  17. CVE-2021-3795: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in semver-regex when formatting crafted invalid semver versions.
  18. CVE-2021-3803: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in nth-check when parsing crafted invalid CSS nth-checks.
  19. CVE-2021-3807: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in ansi-regex when matching crafted invalid ANSI escape codes.
  20. CVE-2021-3765: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in validator.js when validating crafted invalid MagnetURIs.
  21. CVE-2021-3777: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in tmpl version v1.0.5 when formatting crafted strings.
  22. CVE-2021-3733: There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client.
  23. CVE-2021-36716: A ReDoS (regular expression denial of service) flaw was found in the Segment is-email package before 1.0.1 for Node.js. An attacker that is able to provide crafted input to the isEmail(input) function may cause an application to consume an excessive amount of CPU.
  24. CVE-2021-23437: The package pillow from 0 and before 8.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the getrgb function.
  25. CVE-2021-29063: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Mpmath version v1.0.0 when the mpmathify function is called.
  26. CVE-2021-29061: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Vfsjfilechooser2 version 0.2.9 and below which occurs when the application attempts to validate crafted URIs.
  27. CVE-2021-29060: A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
  28. CVE-2021-29059: A vulnerability was discovered in IS-SVG version 4.3.1 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.
  29. CVE-2021-23392: The package locutus before 2.0.15 are vulnerable to Regular Expression Denial of Service (ReDoS) via the gopher_parsedir function.
  30. CVE-2021-23343: All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
  31. CVE-2021-23364: The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
  32. CVE-2021-23382: The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s*# sourceMappingURL=(.*).
  33. CVE-2021-21391: Affected versions of several CKEditor 5 packages are vulnerable to Regular Expression Denial of Service (ReDoS). It allows to abuse particular regular expressions, which could cause a significant performance drop resulting in a browser tab freeze.
  34. CVE-2021-23368: The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.
  35. CVE-2021-23362: The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
  36. CVE-2021-27290: ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
  37. CVE-2021-23354: The package printf before 0.6.1 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex Formatter.prototype._re in lib/printf.js. The vulnerable regular expression has cubic worst-case time complexity.
  38. CVE-2021-23353: This affects the package jspdf before 2.3.1. ReDoS is possible via the addImage function.
  39. CVE-2021-23346: This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
  40. CVE-2021-23341: The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
  41. CVE-2021-21317: uap-core in an open-source npm package which contains the core of BrowserScope's original user agent string parser. In uap-core before version 0.11.0, some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. This is fixed in version 0.11.0. Downstream packages such as uap-python, uap-ruby etc which depend upon uap-core follow different version schemes.
  42. CVE-2020-29651: A denial of service via regular expression in the py.path.svnwc component of py (aka python-py) through 1.9.0 could be used by attackers to cause a compute-time denial of service attack by supplying malicious input to the blame functionality.
  43. CVE-2020-28500: All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
  44. CVE-2020-28496: This affects the package three before 0.125.0. This can happen when handling rgb or hsl colors.
  45. CVE-2020-28493: This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the _punctuation_re regex operator and its use of multiple wildcards. The last wildcard is the most exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format user content instead of the urlize filter, or by implementing request timeouts and limiting process memory.
  46. CVE-2020-28469: Affected versions of the package glob-parent are vulnerable to Regular Expression Denial of Service (ReDoS). The enclosure regex used to check for strings ending in enclosure containing path separator.
  47. CVE-2020-27511: An issue was discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 version 1.6 and below where an attacker can cause a Regular Expression Denial of Service (ReDOS) through stripping crafted HTML tags.
  48. CVE-2020-7793: The package ua-parser-js before 0.7.23 are vulnerable to Regular Expression Denial of Service (ReDoS) in multiple regexes.
  49. CVE-2020-7779: All versions of package djvalidator are vulnerable to Regular Expression Denial of Service (ReDoS) by sending crafted invalid emails.
  50. CVE-2020-7767: All versions of package express-validators are vulnerable to Regular Expression Denial of Service (ReDoS) when validating specifically-crafted invalid urls.
  51. CVE-2020-7761: This affects the package @absolunet/kafe before 3.2.10. It allows cause a denial of service when validating crafted invalid emails.
  52. CVE-2020-7760: This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2.
  53. CVE-2020-7755: All versions of package dat.gui are vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted rgb and rgba values.
  54. CVE-2020-7754: This affects the package npm-user-validate before 1.0.1. The regex that validates user emails took exponentially longer to process long input strings beginning with @ characters.
  55. CVE-2020-7753: All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
  56. CVE-2020-7733: The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Last Updated: 07/28/2022, 04:00:00 PM