CVE-2021-23346 (Medium) detected in html-parse-stringify2-2.0.1.tgz #883
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
|
PR in progress at i18next/react-i18next#1275 Monitoring issue for when PR is merged. |
|
i18next/react-i18next#1275 Issued addressed in dependency and pulled into vulnerable package repo. React-i18next team confirmed issue is not exploitable at runtime. Gaen-mobile flagged package for update. Closing issue as confirmed no risk. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2021-23346 - Medium Severity Vulnerability
Parses well-formed HTML (meaning all tags closed) into an AST and back. quickly.
Library home page: https://registry.npmjs.org/html-parse-stringify2/-/html-parse-stringify2-2.0.1.tgz
Path to dependency file: gaen-mobile/node_modules/html-parse-stringify2/package.json
Path to vulnerable library: gaen-mobile/node_modules/html-parse-stringify2/package.json
Dependency Hierarchy:
Found in base branch: develop
This affects the package html-parse-stringify before 2.0.1; all versions of package html-parse-stringify2. Sending certain input could cause one of the regular expressions that is used for parsing to backtrack, freezing the process.
Publish Date: 2021-03-04
URL: CVE-2021-23346
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-545q-3fg6-48m7
Release Date: 2021-03-04
Fix Resolution: html-parse-stringify 2.0.1
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: