Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-w93e-wkm9-kuex
Vulnerability ID VCID-w93e-wkm9-kuex
Aliases CVE-2021-27290
GHSA-vx3p-948g-6vhq
Summary Regular Expression Denial of Service (ReDoS) npm `ssri` 5.2.2-6.0.1 and 7.0.0-8.0.0, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-400 Uncontrolled Resource Consumption
CWE-770 Allocation of Resources Without Limits or Throttling
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27290.json
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.02665 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
epss 0.04327 https://api.first.org/data/v1/epss?cve=CVE-2021-27290
cvssv3.1 7.5 https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
generic_textual HIGH https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
cvssv3.1 7.5 https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
generic_textual HIGH https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-vx3p-948g-6vhq
cvssv3.1 7.5 https://github.com/npm/ssri
generic_textual HIGH https://github.com/npm/ssri
cvssv3.1 7.5 https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
generic_textual HIGH https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
cvssv3.1 7.5 https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
generic_textual HIGH https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
cvssv3.1 7.5 https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
generic_textual HIGH https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
cvssv3.1 7.5 https://github.com/npm/ssri/pull/20#issuecomment-842677644
generic_textual HIGH https://github.com/npm/ssri/pull/20#issuecomment-842677644
cvssv3.1 7.5 https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
generic_textual HIGH https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
cvssv3.1 7.5 https://npmjs.com
generic_textual HIGH https://npmjs.com
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-27290
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-27290
archlinux High https://security.archlinux.org/AVG-2126
cvssv3.1 7.5 https://www.npmjs.com/package/ssri
generic_textual HIGH https://www.npmjs.com/package/ssri
cvssv3.1 7.5 https://www.oracle.com/security-alerts/cpuoct2021.html
generic_textual HIGH https://www.oracle.com/security-alerts/cpuoct2021.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27290.json
https://api.first.org/data/v1/epss?cve=CVE-2021-27290
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/npm/ssri
https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
https://github.com/npm/ssri/pull/20#issuecomment-842677644
https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
https://npmjs.com
https://nvd.nist.gov/vuln/detail/CVE-2021-27290
https://www.npmjs.com/package/ssri
https://www.oracle.com/security-alerts/cpuoct2021.html
1941471 https://bugzilla.redhat.com/show_bug.cgi?id=1941471
985841 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985841
ASA-202107-13 https://security.archlinux.org/ASA-202107-13
AVG-2126 https://security.archlinux.org/AVG-2126
GHSA-vx3p-948g-6vhq https://github.com/advisories/GHSA-vx3p-948g-6vhq
RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931
RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932
RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073
RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074
RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-27290.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/npm/ssri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/npm/ssri/commit/76e223317d971f19e4db8191865bdad5edee40d2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/npm/ssri/commit/809c84d09ea87c3857fa171d42914586899d4538
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/npm/ssri/commit/b30dfdb00bb94ddc49a25a85a18fb27afafdfbb1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/npm/ssri/pull/20#issuecomment-842677644
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://npmjs.com
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-27290
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.npmjs.com/package/ssri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://www.oracle.com/security-alerts/cpuoct2021.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.85724
EPSS Score 0.02665
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:01:57.450738+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/03/GHSA-vx3p-948g-6vhq/GHSA-vx3p-948g-6vhq.json 38.0.0