Skip to content

fix: inflect vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3820)#34

Draft
galanko wants to merge 1 commit into
masterfrom
opensec/fix/cve-2021-3820-inflect
Draft

fix: inflect vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3820)#34
galanko wants to merge 1 commit into
masterfrom
opensec/fix/cve-2021-3820-inflect

Conversation

@galanko

@galanko galanko commented May 15, 2026

Copy link
Copy Markdown

Summary

Automated remediation for trivy finding: inflect vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3820)

Changes

  • Upgraded inflect (npm package 'i') from version 0.3.6 to 0.3.7
  • Added i@0.3.7 as a direct dependency in package.json to ensure consistent version resolution across all transitive dependencies
  • Updated package-lock.json to lock the dependency to the patched version
  • Verified no breaking changes; test suite passes

Why this matters

CVE-2021-3820 is a Regular Expression Denial of Service (ReDoS) vulnerability in the inflect library (CVSS score: 7.5). This vulnerability could allow attackers to cause denial of service through algorithmic complexity attacks when processing untrusted string inputs. The patch version bump (0.3.6 → 0.3.7) contains the fix without any breaking changes.

Verification

  • npm ls confirmed all instances of 'i' package resolve to 0.3.7
  • Test suite (npm test) executed successfully with no failures
  • No code changes required in consuming application code

Generated by OpenSec remediation agent

- Upgrade inflect package to version 0.3.7 to remediate ReDoS vulnerability
- Add i@0.3.7 as direct dependency to ensure consistent version resolution
- Verified no breaking changes; all tests pass
- Fixes CVE-2021-3820 (Inefficient Regular Expression Complexity)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant