Incorrect Regular Expression in browserslist

#VU66616 Incorrect Regular Expression in browserslist

Published: 2022-08-18

Vulnerability identifier: #VU66616

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-23364

CWE-ID: CWE-185

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
browserslist
Other software / Other software solutions

Vendor: Browserslist

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation
Install update from vendor's website.

Vulnerable software versions

browserslist: 4.0.0 - 4.16.4

External links
http://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182
http://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
http://github.com/browserslist/browserslist/pull/593
http://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474
http://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM QRadar User Behavior Analytics

Incorrect Regular Expression in IBM Edge Application Manager

Multiple vulnerabilities in IBM Cloud Pak for Security