CVE-2021-33502

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

References

Affected packages

Debian:11 / node-got

Package

Name: node-got
Purl: pkg:deb/debian/node-got?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.8.1+~cs53.13.17-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / node-got

Package

Name: node-got
Purl: pkg:deb/debian/node-got?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.8.1+~cs53.13.17-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / node-got

Package

Name: node-got
Purl: pkg:deb/debian/node-got?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

11.8.1+~cs53.13.17-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/sindresorhus/normalize-url

Affected ranges

Type: GIT
Repo: https://github.com/sindresorhus/normalize-url
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

305e3f22efb87505d3bc87c17c50b1ef67789acb

Fixed

305e3f22efb87505d3bc87c17c50b1ef67789acb

Affected versions

1.*

1.2.1

1.3.0

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.2.0

v1.3.1

v1.4.0

v1.4.1

v1.5.0

v1.5.1

v1.5.2

v1.5.3

v1.6.0

v1.6.1

v1.7.0

v1.8.0

v1.9.0

v1.9.1

v2.*

v2.0.0

v2.0.1

v3.*

v3.0.0

v3.0.1

v3.1.0

v3.2.0

v3.3.0

v4.*

v4.0.0

v4.1.0

v4.2.0

v4.3.0

v4.4.0

v4.4.1

v4.5.0

v5.*

v5.0.0

v5.1.0

v5.2.1

v5.3.0

v6.*

v6.0.0