CVE-2021-27290
Regular Expression Denial of Service (ReDoS) vulnerability in ssri (npm)
What is CVE-2021-27290 About?
This vulnerability affects npm `ssri` (versions 5.2.2-6.0.1 and 7.0.0-8.0.0) where its SRI processing regular expression is vulnerable to a denial of service. Malicious integrity strings can cause extremely long processing times, potentially leading to service unavailability. Exploitation requires providing a specially crafted SRI that triggers the regex's inefficient matching.
Affected Software
- ssri
- >7.0.0, <7.1.1
- >8.0.0, <8.0.1
- >5.2.2, <6.0.2
Technical Details
The ssri package in npm, across specified versions, uses a regular expression to process Subresource Integrity (SRI) strings. This particular regular expression contains patterns that are susceptible to Regular Expression Denial of Service (ReDoS) attacks. An attacker can craft a highly complex or malformed SRI string that, when evaluated by the vulnerable regex engine, causes exponential backtracking. This leads to the Node.js process consuming excessive CPU cycles and time to process the input, effectively becoming unresponsive for a significant duration. This denial of service specifically impacts consumers who use the strict option during SRI processing, as this option likely engages the vulnerable regex in its most susceptible configuration.
What is the Impact of CVE-2021-27290?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or system unavailable to legitimate users.
What is the Exploitability of CVE-2021-27290?
Exploitation complexity is low to moderate, requiring an attacker to craft a specific, malicious SRI string. No authentication is required if the application accepts and processes untrusted SRI strings. This is a remote attack vector if the application exposes its SRI processing functionality to external input. A key prerequisite and constraint is that the application must be using the strict option when processing SRIs with the affected ssri versions. The likelihood of exploitation increases in applications that validate or store user-supplied integrity hashes without proper input sanitization.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-27290?
About the Fix from Resolved Security
This patch fixes a regular expression in STRICT_SRI_REGEX to allow zero or one occurrence of options (trailing segments after the hash), rather than zero or more, by replacing * with ?. This prevents parsing of malformed or malicious integrity strings with extra option sections, addressing a parsing issue in Subresource Integrity verification that led to CVE-2021-27290.
Available Upgrade Options
- ssri
- >5.2.2, <6.0.2 → Upgrade to 6.0.2
- ssri
- >7.0.0, <7.1.1 → Upgrade to 7.1.1
- ssri
- >8.0.0, <8.0.1 → Upgrade to 8.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
- https://osv.dev/vulnerability/GHSA-vx3p-948g-6vhq
- https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
- https://npmjs.com
- https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
- https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
- https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
- https://github.com/npm/ssri/pull/20#issuecomment-842677644
What are Similar Vulnerabilities to CVE-2021-27290?
Similar Vulnerabilities: CVE-2021-28092 , CVE-2020-28100 , CVE-2020-15949 , CVE-2020-7711 , CVE-2020-7674
