CVE-2021-23364
Denial of Service vulnerability in browserslist (npm)
What is CVE-2021-23364 About?
The `browserslist` package, in versions from 4.0.0 and before 4.16.5, is susceptible to a Regular Expression Denial of Service (ReDoS). This vulnerability allows an attacker to provide a malicious query that causes excessive processing. This is relatively easy to exploit through crafted input.
Affected Software
Technical Details
This vulnerability is a Regular Expression Denial of Service (ReDoS) affecting the browserslist package. The issue stems from an inefficient regular expression used during the parsing of queries. When a specially crafted, malicious query string is provided as input, the regex engine experiences catastrophic backtracking. This leads to an exponential increase in processing time relative to the input length, causing the application to consume excessive CPU resources and become unresponsive, effectively resulting in a Denial of Service.
What is the Impact of CVE-2021-23364?
Successful exploitation may allow attackers to cause a Denial of Service, making the system or application unavailable or unresponsive.
What is the Exploitability of CVE-2021-23364?
Exploitation is relatively straightforward and is of low complexity. It requires no authentication or specific privileges. The attack vector is typically remote, where an attacker provides a maliciously crafted query string to an application that uses the browserslist package for parsing. The primary prerequisite is that the application processes user-controlled input as browserslist queries. The risk factors include any web application that publicly exposes an interface allowing users to specify or influence browser target queries, increasing the likelihood of a ReDoS attack.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23364?
Available Upgrade Options
- browserslist
- >4.0.0, <4.16.5 → Upgrade to 4.16.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474
- https://github.com/browserslist/browserslist/pull/593
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182
- https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
- https://github.com/browserslist/browserslist/pull/593
- https://osv.dev/vulnerability/GHSA-w8qv-6jwh-64r5
- https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
- https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182
- https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
What are Similar Vulnerabilities to CVE-2021-23364?
Similar Vulnerabilities: CVE-2021-27292 , CVE-2021-33503 , CVE-2020-8294 , CVE-2020-28283 , CVE-2019-11324
