CVE-2021-29059

nodejs-is-svg: Regular expression denial of service if the application is provided and checks a crafted invalid SVG string

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A vulnerability was discovered in IS-SVG version 2.1.0 to 4.2.2 and below where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string.

Se ha descubierto una vulnerabilidad en las versiones 2.1.0 a 4.2.2 e inferiores de IS-SVG en la que se produce una denegación de servicio por expresión regular (ReDOS) si se proporciona la aplicación y se comprueba una cadena SVG no válida elaborada.

A flaw was found in IS-SVG where a Regular Expression Denial of Service (ReDOS) occurs if the application is provided and checks a crafted invalid SVG string. The highest threat from this vulnerability is to system availability.

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.9.0. Issues addressed include bypass, denial of service, and information leakage vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-22 CVE Reserved
2021-06-21 CVE Published
2024-08-03 CVE Updated
2024-08-03 First Exploit
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (6)

URL	Tag	Source
https://github.com/sindresorhus/is-svg/releases/tag/v4.3.0	Release Notes
https://github.com/yetingli/SaveResults/blob/main/js/is-svg.js	Third Party Advisory
https://www.npmjs.com/package/is-svg	Product

URL	Date	SRC
https://github.com/yetingli/PoCs/blob/main/CVE-2021-29059/IS-SVG.md	2024-08-03

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-29059	2021-10-18
https://bugzilla.redhat.com/show_bug.cgi?id=1974839	2021-10-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Is-svg Project Search vendor "Is-svg Project"		Is-svg Search vendor "Is-svg Project" for product "Is-svg"				>= 2.1.0 < 4.3.0 Search vendor "Is-svg Project" for product "Is-svg" and version " >= 2.1.0 < 4.3.0"		node.js		Affected