Bug 1955619 (CVE-2021-23364) - CVE-2021-23364 browserslist: parsing of invalid queries could result in Regular Expression Denial of Service (ReDoS)
Summary: CVE-2021-23364 browserslist: parsing of invalid queries could result in Regul...
Status: NEW
Alias: CVE-2021-23364
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1956624 1956625 1956626 1956627 1956628 1956629 1956630 1958615 1961140 1961141 1958323 1958324 1958325
Blocks: 1955624
TreeView+ depends on / blocked
Reported: 2021-04-30 14:38 UTC by Michael Kaplan
Modified: 2021-05-17 11:33 UTC (History)
25 users (show)

Fixed In Version: browserslist 4.16.5
Doc Type: If docs needed, set a value
Doc Text:
Regular Expression Denial of Service (ReDoS) vulnerability was found in browserslist library. An attacker can use this vulnerability to parse a query which potentially can lead to service degradation.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Michael Kaplan 2021-04-30 14:38:34 UTC
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.

Comment 3 Przemyslaw Roguski 2021-05-07 16:10:28 UTC

While some components do package a vulnerable version of nodejs browserslist library, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. 
This applies to the following products:
  - OpenShift Container Platform (OCP)
  - OpenShift ServiceMesh (OSSM)

In Red Had Quay , whilst a vulnerable version of `browserslist` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.

Note You need to log in before you can comment on or make changes to this bug.