JFrog Security Research
< Back

XRAY-211351 - uri-template-lite URI.expand ReDoS

CVE-2021-43309 | CVSS 5.9

JFrog Severity:medium

Discovered ByDenys Vozniukof the JFrog Security Research Team

Published 3 Aug, 2022 | Last updated 3 Aug, 2022

Exponential ReDoS in uri-template-lite leads to denial of service


uri-template-lite (,)

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the URI.expand() method

The vulnerable regular expression can be found at "/package/index.js" - \{([#&+.\/;?]?)((?:[-\w%.]+(\*|:\d+)?,?)+)\}

'{0' + '0'.repeat(1000)

No mitigations are supplied for this issue


< Back