High severityNVD Advisory· Published May 24, 2021· Updated Aug 3, 2024
CVE-2021-33502
CVE-2021-33502
Description
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
normalize-urlnpm | >= 4.3.0, < 4.5.1 | 4.5.1 |
normalize-urlnpm | >= 5.0.0, < 5.3.1 | 5.3.1 |
normalize-urlnpm | >= 6.0.0, < 6.0.1 | 6.0.1 |
Affected products
10- Node.js/normalize-urldescription
- ghsa-coords9 versionspkg:npm/normalize-urlpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npm
>= 4.3.0, < 4.5.1+ 8 more
- (no CPE)range: >= 4.3.0, < 4.5.1
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.16.0-1.el9_0
- (no CPE)range: < 2.0.15-1.module_el8.6.0+2904+f21ad6f4
- (no CPE)range: < 25-1.module_el8.5.0+246+05401605
- (no CPE)range: < 1:8.1.2-1.16.13.1.3.module_el8.5.0+2605+45d748af
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-px4h-xg32-q955ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33502ghsaADVISORY
- github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103ghsaWEB
- github.com/sindresorhus/normalize-url/releases/tag/v6.0.1ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20210706-0001ghsaWEB
- security.netapp.com/advisory/ntap-20210706-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.