CVE-2021-28092 in cssnano due to an old version of is-svg #20432

stanislavgeorgiev · 2021-04-01T16:06:19Z

Describe the bug
CVE-2021-28092

The is-svg package 2.1.0 through 4.2.1 for Node.js uses a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). If an attacker provides a malicious string, is-svg will get stuck processing the input for a very long time.

└─┬ @angular-devkit/build-angular@0.1102.6
└─┬ cssnano@4.1.10
└─┬ cssnano-preset-default@4.0.7
└─┬ postcss-svgo@4.0.2
└── is-svg@3.0.0

There's already an open defect against the postcss-svgo package and I'm filing this defect to adopt the new version once released

The text was updated successfully, but these errors were encountered:

alan-agius4 · 2021-04-01T16:14:25Z

Duplicate of #20317

angular-automatic-lock-bot · 2021-05-02T08:02:59Z

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}

alan-agius4 marked this as a duplicate of #20317 Apr 1, 2021

alan-agius4 closed this as completed Apr 1, 2021

angular-automatic-lock-bot bot locked and limited conversation to collaborators May 2, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2021-28092 in cssnano due to an old version of is-svg #20432

CVE-2021-28092 in cssnano due to an old version of is-svg #20432

stanislavgeorgiev commented Apr 1, 2021

alan-agius4 commented Apr 1, 2021

angular-automatic-lock-bot bot commented May 2, 2021

CVE-2021-28092 in cssnano due to an old version of is-svg #20432

CVE-2021-28092 in cssnano due to an old version of is-svg #20432

Comments

stanislavgeorgiev commented Apr 1, 2021

alan-agius4 commented Apr 1, 2021

angular-automatic-lock-bot bot commented May 2, 2021