Description
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
Remediation
References
https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474
https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
https://github.com/browserslist/browserslist/pull/593
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182
https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
Related Vulnerabilities
CVE-2021-3856 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2020-13934 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2020-28478 Vulnerability in npm package gsap
CVE-2016-4432 Vulnerability in maven package org.apache.qpid:qpid-broker-plugins-amqp-0-10-protocol
CVE-2016-5018 Vulnerability in maven package org.apache.tomcat:tomcat-jasper