Description
The package browserslist from 4.0.0 and before 4.16.5 are vulnerable to Regular Expression Denial of Service (ReDoS) during parsing of queries.
References (5)
Core 5
Core References
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
Exploit, Patch, Third Party Advisory x_refsource_misc
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1277182
Broken Link x_refsource_misc
https://github.com/browserslist/browserslist/blob/e82f32d1d4100d6bc79ea0b6b6a2d281a561e33c/index.js%23L472-L474
Patch, Third Party Advisory x_refsource_misc
https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
Third Party Advisory x_refsource_misc
https://github.com/browserslist/browserslist/pull/593
Scores
CVSS v3
5.3
EPSS
0.0045
EPSS Percentile
63.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Details
CWE
CWE-1333
Status
published
Products (2)
browserslist_project/browserslist
4.0.0 - 4.16.5
npm/browserslist
4.0.0 - 4.16.5npm
Published
Apr 28, 2021
Tracked Since
Feb 18, 2026