The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| normalize-url(npm) | 4.3.0 | 4.5.1 | N/A |
| normalize-url(npm) | 5.0.0 | 5.3.1 | N/A |
| normalize-url(npm) | 6.0.0 | 6.0.1 | N/A |
CVSS Metrics
