Description
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
References (7)
Core 7
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356
Patch, Third Party Advisory x_refsource_misc
https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3
Patch, Third Party Advisory x_refsource_misc
https://github.com/npm/hosted-git-info/commits/v2
Patch, Third Party Advisory x_refsource_misc
https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7
Patch, Third Party Advisory x_refsource_misc
https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01
Patch, Third Party Advisory x_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf
Scores
CVSS v3
5.3
EPSS
0.0055
EPSS Percentile
68.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-1333
Status
published
Products (3)
npm/hosted-git-info
0 - 2.8.9npm
npmjs/hosted-git-info
2.0.0 - 2.8.9
siemens/sinec_infrastructure_network_services
< 1.0.1.1
Published
Mar 23, 2021
Tracked Since
Feb 18, 2026