CVE-2021-27290 Overview
CVE-2021-27290 is a Regular Expression Denial of Service (ReDoS) vulnerability affecting the ssri (Subresource Integrity) npm package versions 5.2.2 through 8.0.0. The vulnerability exists in the way ssri processes Subresource Integrity (SRI) values using a regular expression that exhibits catastrophic backtracking behavior. When the strict option is enabled, malicious SRI inputs can cause the regular expression engine to consume excessive CPU time, leading to denial of service conditions in Node.js applications.
Critical Impact
Applications using ssri with the strict option enabled are vulnerable to denial of service attacks. Malicious actors can craft SRI values that cause the application to become unresponsive, potentially affecting critical npm-based infrastructure and build pipelines.
Affected Products
- ssri_project ssri versions 5.2.2 through 8.0.0
- Oracle GraalVM Enterprise editions 20.3.3 and 21.2.0
- Siemens SINEC Infrastructure Network Services
Discovery Timeline
- 2021-03-12 - CVE CVE-2021-27290 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-27290
Vulnerability Analysis
The ssri package is a widely-used npm dependency that validates and parses Subresource Integrity metadata. The vulnerability stems from an inefficient regular expression pattern used to parse SRI hash values when the strict mode is enabled. Regular Expression Denial of Service (ReDoS) vulnerabilities occur when input data causes the regex engine to enter a state of exponential time complexity due to backtracking behavior.
In this case, carefully crafted SRI strings can trigger worst-case algorithmic complexity in the regex evaluation. The ssri package is particularly significant as it is a transitive dependency of npm itself, making this vulnerability potentially impactful across the entire Node.js ecosystem. Applications that accept user-controlled SRI values are especially at risk.
Root Cause
The root cause of CVE-2021-27290 is an inefficient regular expression pattern in the ssri package's SRI parsing logic. When the strict option is enabled, the regex used for validation contains nested quantifiers and overlapping character classes that can lead to catastrophic backtracking. This is a classic ReDoS pattern where the regex engine must explore an exponentially growing number of possible matches when processing malformed or adversarial input strings.
Attack Vector
The attack can be executed remotely over the network without requiring authentication or user interaction. An attacker needs to supply a maliciously crafted SRI value to an application that uses the ssri package with the strict option enabled. The attack surface includes:
- Web applications that validate SRI hashes from user input
- Build systems and package managers processing untrusted package metadata
- Content Delivery Networks (CDNs) that verify integrity of served resources
- CI/CD pipelines processing package-lock.json files with malicious SRI values
The vulnerability exploitation causes CPU exhaustion, potentially rendering the affected Node.js process unresponsive and denying service to legitimate users.
Detection Methods for CVE-2021-27290
Indicators of Compromise
- Sudden CPU spikes in Node.js processes handling SRI validation
- Application timeouts or unresponsiveness during package installation or integrity checks
- Unusual request patterns containing extremely long or malformed SRI hash values
- Process hangs in npm, yarn, or other package managers during dependency resolution
Detection Strategies
- Monitor application performance metrics for CPU anomalies during SRI parsing operations
- Implement request timeout monitoring to detect hanging regex evaluations
- Use software composition analysis (SCA) tools to identify vulnerable ssri versions in your dependency tree
- Run npm ls ssri or yarn why ssri to check installed versions in your projects
- Review application logs for timeout errors related to integrity checks
Monitoring Recommendations
- Set up alerting for elevated CPU usage in Node.js application processes
- Implement APM (Application Performance Monitoring) to track request latency spikes
- Monitor npm audit results for known vulnerabilities in the dependency chain
- Configure process-level resource limits to contain potential DoS conditions
How to Mitigate CVE-2021-27290
Immediate Actions Required
- Upgrade ssri to version 8.0.1 or later immediately
- Run npm audit fix or yarn upgrade ssri to update the dependency
- Audit your application's usage of the strict option in ssri calls
- Implement input validation and length limits on user-supplied SRI values
- Consider adding request timeouts as a defense-in-depth measure
Patch Information
The vulnerability is fixed in ssri version 8.0.1. Users should upgrade to this version or later. For additional security guidance, refer to the vendor advisories:
- Doyensec Advisory on SSRi ReDos
- Siemens Security Advisory SSA-389290
- Oracle October 2021 CPU Security Alert
Workarounds
- Disable the strict option in ssri if strict SRI validation is not required
- Implement input length validation before passing SRI values to ssri
- Add timeout wrappers around ssri function calls to prevent indefinite blocking
- Consider using Web Application Firewalls (WAF) to filter requests with suspicious SRI patterns
# Upgrade ssri to the patched version
npm update ssri
# Or force the specific fixed version
npm install ssri@8.0.1
# Verify the installed version
npm ls ssri
# Run npm audit to check for remaining vulnerabilities
npm audit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
