CVE-2021-28092
Regular Expression Denial of Service (ReDoS) vulnerability in is-svg (npm)
What is CVE-2021-28092 About?
The is-svg package for Node.js (versions 2.1.0 through 4.2.1) contains a Regular Expression Denial of Service (ReDoS) vulnerability. A malicious string provided by an attacker can cause the package to get stuck in an overly long processing loop, leading to a denial of service. Exploitation involves supplying specific malformed input to the regular expression.
Affected Software
Technical Details
The is-svg package (versions 2.1.0 through 4.2.1) uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). This occurs when a regex pattern contains certain features (like repetition with overlapping alternatives or nested quantifiers) that can cause the regex engine to backtrack an exponential number of times when processing specific malformed input strings. An attacker can craft a malicious string that, when evaluated by the vulnerable regular expression within is-svg, causes the Node.js process to spend an excessive amount of time (potentially indefinitely) matching the pattern. This consumes CPU resources, leading to the application becoming unresponsive and effectively causing a denial of service.
What is the Impact of CVE-2021-28092?
Successful exploitation may allow attackers to cause a denial of service, rendering the application or system unavailable to legitimate users.
What is the Exploitability of CVE-2021-28092?
Exploitation complexity is low to moderate, requiring an attacker to craft a specific string that triggers the ReDoS vulnerability. No authentication is required, making it a remote attack vector if the application processes untrusted input that uses is-svg. The primary prerequisite is that the application uses one of the affected is-svg versions to validate user-supplied input. The risk increases for applications that accept and process SVG content from untrusted sources, potentially leading to resource exhaustion and service unavailability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28092?
About the Fix from Resolved Security
The patch removes XML entities and DTD markup declarations from SVG input before it applies the main regex, preventing attackers from leveraging crafted markup to trigger excessive backtracking and ReDoS (Regular Expression Denial of Service). This directly addresses CVE-2021-28092 by eliminating the patterns that could cause the regex to exhibit worst-case performance, thereby protecting against denial-of-service attacks.
Available Upgrade Options
- is-svg
- >2.1.0, <4.2.2 → Upgrade to 4.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2
- https://security.netapp.com/advisory/ntap-20210513-0008/
- https://www.npmjs.com/package/is-svg
- https://nvd.nist.gov/vuln/detail/CVE-2021-28092
- https://github.com/sindresorhus/is-svg/releases
- https://github.com/sindresorhus/is-svg/releases/tag/v4.2.2
- https://www.npmjs.com/package/is-svg
- https://osv.dev/vulnerability/GHSA-7r28-3m3f-r2pr
- https://github.com/sindresorhus/is-svg/commit/01f8a087fab8a69c3ac9085fbb16035907ab6a5b
- https://github.com/sindresorhus/is-svg/releases
What are Similar Vulnerabilities to CVE-2021-28092?
Similar Vulnerabilities: CVE-2021-27290 , CVE-2020-28100 , CVE-2020-15949 , CVE-2020-7711 , CVE-2020-7674
