CVE-2021-33502
Description
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The normalize-url package for Node.js before versions 4.5.1, 5.3.1, and 6.0.1 is vulnerable to ReDoS via crafted data: URLs.
Vulnerability
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js contains a regular expression denial of service (ReDoS) vulnerability. The issue resides in the normalizeDataURL function, which uses the regex /^data:(?.*?),(?.*?)(?:#(?.*))?$/. This regex exhibits exponential backtracking when processing specially crafted data: URLs, leading to excessive CPU consumption [1][2][4].
Exploitation
An attacker can exploit this vulnerability by providing a maliciously crafted data: URL to an application that uses the vulnerable normalize-url function. No authentication or special privileges are required; the attacker only needs to supply the URL via any input vector (e.g., HTTP request, file upload). The crafted URL contains a pattern that triggers catastrophic backtracking in the regex, causing exponential processing time [2][4]. The commit that fixes the issue includes a test demonstrating the performance problem with URLs containing many ,# sequences [4].
Impact
Successful exploitation results in a denial of service (DoS) condition. The application becomes unresponsive or consumes excessive CPU resources, potentially affecting availability for legitimate users. The impact is limited to availability; no data confidentiality or integrity is compromised [2].
Mitigation
The vulnerability is fixed in versions 4.5.1, 5.3.1, and 6.0.1 of the normalize-url package [1][3]. Users should upgrade to these patched versions. The fix changes the regex to use non-greedy quantifiers with character classes to prevent backtracking [4]. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
normalize-urlnpm | >= 4.3.0, < 4.5.1 | 4.5.1 |
normalize-urlnpm | >= 5.0.0, < 5.3.1 | 5.3.1 |
normalize-urlnpm | >= 6.0.0, < 6.0.1 | 6.0.1 |
Affected products
10- Node.js/normalize-urldescription
- ghsa-coords9 versionspkg:npm/normalize-urlpkg:rpm/almalinux/nodejspkg:rpm/almalinux/nodejs-develpkg:rpm/almalinux/nodejs-docspkg:rpm/almalinux/nodejs-full-i18npkg:rpm/almalinux/nodejs-libspkg:rpm/almalinux/nodejs-nodemonpkg:rpm/almalinux/nodejs-packagingpkg:rpm/almalinux/npm
>= 4.3.0, < 4.5.1+ 8 more
- (no CPE)range: >= 4.3.0, < 4.5.1
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.13.1-3.module_el8.5.0+2605+45d748af
- (no CPE)range: < 1:16.16.0-1.el9_0
- (no CPE)range: < 2.0.15-1.module_el8.6.0+2904+f21ad6f4
- (no CPE)range: < 25-1.module_el8.5.0+246+05401605
- (no CPE)range: < 1:8.1.2-1.16.13.1.3.module_el8.5.0+2605+45d748af
Patches
1b1fdb5120b6dFix ReDoS for data URLs
2 files changed · +15 −1
index.js+1 −1 modified@@ -9,7 +9,7 @@ const testParameter = (name, filters) => { }; const normalizeDataURL = (urlString, {stripHash}) => { - const match = /^data:(?<type>.*?),(?<data>.*?)(?:#(?<hash>.*))?$/.exec(urlString); + const match = /^data:(?<type>[^,]*?),(?<data>[^#]*?)(?:#(?<hash>.*))?$/.exec(urlString); if (!match) { throw new Error(`Invalid URL: ${urlString}`);
test.js+14 −0 modified@@ -344,3 +344,17 @@ test('view-source URL', t => { normalizeUrl('view-source:https://www.sindresorhus.com'); }, '`view-source:` is not supported as it is a non-standard protocol'); }); + +test('does not have exponential performance for data URLs', t => { + for (let index = 0; index < 1000; index += 50) { + const url = 'data:' + Array.from({length: index}).fill(',#').join('') + '\ra'; + const start = Date.now(); + + try { + normalizeUrl(url); + } catch {} + + const difference = Date.now() - start; + t.true(difference < 100, `Execution time: ${difference}`); + } +});
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-px4h-xg32-q955ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-33502ghsaADVISORY
- github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103ghsaWEB
- github.com/sindresorhus/normalize-url/releases/tag/v6.0.1ghsax_refsource_CONFIRMWEB
- security.netapp.com/advisory/ntap-20210706-0001ghsaWEB
- security.netapp.com/advisory/ntap-20210706-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.