GHSA-f38p-c2gq-4pmr · Severity: high · Ecosystem: npm — Regular Expression Denial-of-Service in npm schema-inspector
Schema-Inspector is an open-source tool to sanitize and validate JS objects (npm package schema-inspector). In before version 2.0.0, email address validation is vulnerable to a denial-of-service attack where some input (for example `a@0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.`) will freeze the program or web browser page executing the code. This affects any current schema-inspector users using any version to validate email addresses. Users who do not do email validation, and instead do other types of validation (like string min or max length, etc), are not affected. Users should upgrade to version 2.0.0, which uses a regex expression that isn't vulnerable to ReDoS.
Conclusion & alert: CVE-2021-21267 is rated High Exploit Risk (73.9/100): CVSS High severity, with medium exploitation likelihood (EPSS 2.09%). Core evidence: 3 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +1.22% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.87% | 2.09% | +1.22% |
| 2 | 2025-03-30 | 0.79% | 0.87% | +0.07% |
| 3 | 2025-03-29 | — | 0.79% | — |
Full EPSS history (14 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| 5.0 | 2.0 | MEDIUM |
|
10.0 | 2.9 | [email protected] |
GHSA-f38p-c2gq-4pmr · Severity: high · Ecosystem: npm — Regular Expression Denial-of-Service in npm schema-inspector
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| schema-inspector_project | schema-inspector | < 2.0.0 | cpe:2.3:a:schema-inspector_project:schema-inspector:*:*:*:*:*:node.js:*:* |
| netapp | e-series_performance_analyzer | — | cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:* |
| netapp | oncommand_insight | — | cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://gist.github.com/mattwelke/b7f42424680a57b8161794ad1737cd8f | Exploit Third Party Advisory |
| https://github.com/schema-inspector/schema-inspector/security/advisories/GHSA-f38p-c2gq-4pmr | Exploit Third Party Advisory |
| https://security.netapp.com/advisory/ntap-20210528-0006/ | Third Party Advisory |
| https://www.npmjs.com/package/schema-inspector | Exploit Third Party Advisory |