Platform
nodejs
Component
nth-check
Fixed in
2.0.1
CVE-2021-3803 identifies an inefficient regular expression complexity vulnerability within nth-check. This flaw can trigger a denial-of-service (DoS) condition by consuming excessive resources, potentially leading to system instability. The vulnerability affects versions of nth-check up to and including 2.0.1. A fix is available in version 2.0.1.
The core of this vulnerability lies in an overly complex regular expression used within nth-check. A specially crafted input string can cause the regex engine to enter an infinite loop or consume an excessive amount of memory and CPU resources. This resource exhaustion can effectively render the affected system unresponsive, leading to a denial of service. Attackers could exploit this to disrupt services relying on nth-check for input validation, potentially impacting critical applications. The blast radius is limited to the system running nth-check and any services dependent on its validation functions.
CVE-2021-3803 was published on September 17, 2021. There is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on KEV, and the EPSS score is likely low due to the lack of public exploits and active exploitation. Public proof-of-concept (POC) code is not widely available, further reducing the immediate risk.
Exploit Status
EPSS
0.13% (33% percentile)
CVSS Vector
The primary mitigation for CVE-2021-3803 is to upgrade to version 2.0.1 or later of nth-check. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing input validation measures upstream of nth-check to filter potentially malicious input strings. This could involve limiting the length or complexity of input data before it reaches nth-check. While a WAF might offer some protection, it's not a reliable long-term solution. Verify the upgrade by attempting to process a known malicious input string after the upgrade; the system should not exhibit excessive resource consumption.
Update the `nth-check` dependency to version 2.0.1 or higher. This will resolve the inefficient regular expression complexity vulnerability. Run `npm install nth-check@latest` or `yarn upgrade nth-check@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-3803 is a denial-of-service vulnerability in nth-check versions up to 2.0.1, caused by an inefficient regular expression. A crafted input can trigger resource exhaustion, leading to system instability.
You are affected if you are using nth-check version 2.0.1 or earlier. Check your installed version using nth-check --version.
Upgrade to version 2.0.1 or later of nth-check. If immediate upgrade isn't possible, implement upstream input validation to limit input complexity.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-3803, but it remains a potential risk.
Refer to the nth-check project's repository or website for the official advisory and release notes related to CVE-2021-3803.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.