{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T12:02:28.444","vulnerabilities":[{"cve":{"id":"CVE-2017-16021","sourceIdentifier":"support@hackerone.com","published":"2018-06-04T19:29:01.303","lastModified":"2024-11-21T03:15:40.693","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"uri-js is a module that tries to fully implement RFC 3986. One of these features is validating whether or not a supplied URL is valid or not. To do this, uri-js uses a regular expression, This regular expression is vulnerable to redos. This causes the program to hang and the CPU to idle at 100% usage while uri-js is trying to validate if the supplied URL is valid or not. To check if you're vulnerable, look for a call to `require(\"uri-js\").parse()` where a user is able to send their own input. This affects uri-js 2.1.1 and earlier."},{"lang":"es","value":"uri-js es un módulo que intenta implementar RFC 3986 completamente. Una de estas características es validar si una URL proporcionada es válida o no. Para hacerlo, uri-js emplea una expresión regular que es vulnerable a una denegación de servicio con expresiones regulares (ReDoS). Esto provoca que el programa se bloquee y que la CPU se vuelva inactiva al uso al 100% mientras uri-js intenta validar si la URL proporcionada es válida o no. Para comprobar si se es vulnerable, se debe buscar una llamada a \"require(\"uri-js\").parse()\" en la que el usuario pueda enviar sus propias entradas. Esto afecta a uri-js en versiones 2.1.1 y anteriores."}],"metrics":{"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":3.6}],"cvssMetricV2":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:N/I:N/A:C","baseScore":6.8,"accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"COMPLETE"},"baseSeverity":"MEDIUM","exploitabilityScore":8.0,"impactScore":6.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}]},"weaknesses":[{"source":"support@hackerone.com","type":"Secondary","description":[{"lang":"en","value":"CWE-400"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"CWE-1333"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:garycourt:uri-js:*:*:*:*:*:node.js:*:*","versionEndIncluding":"2.1.1","matchCriteriaId":"540B9C87-F30C-4317-8B31-F95A5429BBCF"}]}]}],"references":[{"url":"https://github.com/garycourt/uri-js/issues/12","source":"support@hackerone.com","tags":["Exploit","Issue Tracking","Third Party Advisory"]},{"url":"https://nodesecurity.io/advisories/100","source":"support@hackerone.com","tags":["Broken Link","Third Party Advisory"]},{"url":"https://github.com/garycourt/uri-js/issues/12","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Exploit","Issue Tracking","Third Party Advisory"]},{"url":"https://nodesecurity.io/advisories/100","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Broken Link","Third Party Advisory"]}]}}]}