CVE-2021-28092 Overview
The is-svg package versions 2.1.0 through 4.2.1 for Node.js contains a regular expression that is vulnerable to Regular Expression Denial of Service (ReDoS). When an attacker provides a malicious string input, the is-svg library becomes stuck processing the input for an extended period, effectively causing a denial of service condition in applications that depend on this package.
Critical Impact
Applications using vulnerable versions of is-svg can be rendered unresponsive when processing maliciously crafted input strings, potentially causing service outages and impacting application availability.
Affected Products
- is-svg versions 2.1.0 through 4.2.1 for Node.js
- Applications and dependencies utilizing vulnerable is-svg versions
- NetApp products (as referenced in their security advisory)
Discovery Timeline
- 2021-03-12 - CVE-2021-28092 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-28092
Vulnerability Analysis
This vulnerability is classified as CWE-1333 (Inefficient Regular Expression Complexity). The is-svg package is designed to check if a given string is a valid SVG (Scalable Vector Graphics) image. The core issue lies in the regular expression pattern used for validation, which exhibits catastrophic backtracking behavior when processing certain input patterns.
Regular Expression Denial of Service attacks exploit the computational complexity of regex engines. When a vulnerable regex encounters a malicious input string, the engine can enter an exponential time complexity state due to excessive backtracking. In this case, the regex used within is-svg for SVG validation contains patterns that are susceptible to this type of algorithmic complexity attack.
The vulnerability can be exploited remotely over the network without requiring authentication or user interaction. The impact is limited to availability, causing denial of service without compromising data confidentiality or integrity.
Root Cause
The root cause is an inefficient regular expression pattern within the is-svg package that fails to handle certain input strings efficiently. The regex contains constructs that lead to catastrophic backtracking—a condition where the regex engine explores an exponentially growing number of possible matches when processing specially crafted input. This is a common issue in regex patterns that use nested quantifiers or overlapping alternations without proper anchoring or atomic grouping.
Attack Vector
An attacker can exploit this vulnerability by providing a maliciously crafted string to any application that uses the is-svg package for input validation. The attack is network-based and requires no privileges or user interaction. When the vulnerable function processes the malicious input, the regex engine enters a state of excessive backtracking, consuming CPU resources and blocking the event loop in Node.js applications. This effectively freezes the application, causing denial of service.
The attack is particularly concerning in Node.js environments due to the single-threaded nature of the event loop—a ReDoS attack can block all request processing, not just the malicious request.
Detection Methods for CVE-2021-28092
Indicators of Compromise
- Abnormally high CPU utilization in Node.js processes without corresponding increase in legitimate traffic
- Application response times degrading significantly or timing out completely
- Event loop delays or blocked requests in Node.js application monitoring
- Log entries showing requests with unusually long processing times for SVG validation operations
Detection Strategies
- Implement dependency scanning in CI/CD pipelines to identify vulnerable versions of is-svg (2.1.0 through 4.2.1)
- Use software composition analysis (SCA) tools to audit package.json and package-lock.json files
- Monitor application performance metrics for anomalous CPU spikes during request processing
- Deploy runtime application self-protection (RASP) to detect ReDoS patterns
Monitoring Recommendations
- Configure alerting thresholds for Node.js event loop latency exceeding baseline values
- Implement request timeout mechanisms to terminate long-running validation operations
- Monitor and log processing duration for SVG validation functions
- Use APM tools to track regex execution times and identify potential ReDoS attempts
How to Mitigate CVE-2021-28092
Immediate Actions Required
- Upgrade is-svg to version 4.2.2 or later immediately
- Audit all applications and dependencies for vulnerable is-svg versions
- Implement request timeouts and input size limits as defense-in-depth measures
- Review dependency trees for transitive dependencies that may include vulnerable versions
Patch Information
The vulnerability has been addressed in is-svg version 4.2.2. The fix involves modifying the regular expression pattern to eliminate the catastrophic backtracking behavior. Organizations should update their package.json to require is-svg ^4.2.2 or later. For detailed release information, refer to the GitHub Release v4.2.2 page. Additional information is available in the NetApp Security Advisory.
Workarounds
- Implement input length validation before passing strings to is-svg to limit the maximum input size
- Add timeout wrappers around is-svg function calls to prevent indefinite blocking
- Consider alternative SVG validation methods that do not rely on vulnerable regex patterns
- Use worker threads for SVG validation to prevent event loop blocking in critical paths
# Update is-svg to patched version
npm update is-svg
# Verify installed version
npm list is-svg
# Force update to specific patched version
npm install is-svg@4.2.2 --save
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
