Scan free
HIGHCVE-2021-3803CVSS 7.5

CVE-2021-3803: Regex Complexity in nth-check

Platform

nodejs

Component

nth-check

Fixed in

2.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2021-3803 identifies an inefficient regular expression complexity vulnerability within nth-check. This flaw can trigger a denial-of-service (DoS) condition by consuming excessive resources, potentially leading to system instability. The vulnerability affects versions of nth-check up to and including 2.0.1. A fix is available in version 2.0.1.

Impact and Attack Scenarios

The core of this vulnerability lies in an overly complex regular expression used within nth-check. A specially crafted input string can cause the regex engine to enter an infinite loop or consume an excessive amount of memory and CPU resources. This resource exhaustion can effectively render the affected system unresponsive, leading to a denial of service. Attackers could exploit this to disrupt services relying on nth-check for input validation, potentially impacting critical applications. The blast radius is limited to the system running nth-check and any services dependent on its validation functions.

Exploitation Context

CVE-2021-3803 was published on September 17, 2021. There is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on KEV, and the EPSS score is likely low due to the lack of public exploits and active exploitation. Public proof-of-concept (POC) code is not widely available, further reducing the immediate risk.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
NextGuard100% still vulnerable

EPSS

0.13% (33% percentile)

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentnth-check
Vendorfb55
Affected rangeFixed in
unspecified – 2.0.12.0.1

Package Information

Last updated
3.0.12 months ago

Weakness Classification (CWE)

CWE-1333

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched 0 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2021-3803 is to upgrade to version 2.0.1 or later of nth-check. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing input validation measures upstream of nth-check to filter potentially malicious input strings. This could involve limiting the length or complexity of input data before it reaches nth-check. While a WAF might offer some protection, it's not a reliable long-term solution. Verify the upgrade by attempting to process a known malicious input string after the upgrade; the system should not exhibit excessive resource consumption.

How to fix

Update the `nth-check` dependency to version 2.0.1 or higher. This will resolve the inefficient regular expression complexity vulnerability. Run `npm install nth-check@latest` or `yarn upgrade nth-check@latest` to update.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2021-3803 — Regex Complexity in nth-check?

CVE-2021-3803 is a denial-of-service vulnerability in nth-check versions up to 2.0.1, caused by an inefficient regular expression. A crafted input can trigger resource exhaustion, leading to system instability.

Am I affected by CVE-2021-3803 in nth-check?

You are affected if you are using nth-check version 2.0.1 or earlier. Check your installed version using nth-check --version.

How do I fix CVE-2021-3803 in nth-check?

Upgrade to version 2.0.1 or later of nth-check. If immediate upgrade isn't possible, implement upstream input validation to limit input complexity.

Is CVE-2021-3803 being actively exploited?

There is currently no evidence of active exploitation campaigns targeting CVE-2021-3803, but it remains a potential risk.

Where can I find the official nth-check advisory for CVE-2021-3803?

Refer to the nth-check project's repository or website for the official advisory and release notes related to CVE-2021-3803.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs