CVE-2021-43843

Name: CVE-2021-43843
Creator: NVD / NIST
Published: 2021-12-20T22:15:07.817+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

HIGHCVSS 7.5/10EPSS 1.92%

Last modified Jun 17, 2026

CVE-2021-43843 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. EPSS estimates a 1.92% chance of exploitation in the next 30 days.

Description

jsx-slack is a package for building JSON objects for Slack block kit surfaces from JSX. The maintainers found the patch for CVE-2021-43838 in jsx-slack v4.5.1 is insufficient tfor protection from a Regular Expression Denial of Service (ReDoS) attack. If an attacker can put a lot of JSX elements into `<blockquote>` tag _with including multibyte characters_, an internal regular expression for escaping characters may consume an excessive amount of computing resources. v4.5.1 passes the test against ASCII characters but misses the case of multibyte characters. jsx-slack v4.5.2 has updated regular expressions for escaping blockquote characters to prevent catastrophic backtracking. It is also including an updated test case to confirm rendering multiple tags in `<blockquote>` with multibyte characters.

Metrics

CVSS 3.1

7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Probability

1.92%

77.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Jsx-Slack Project	Jsx-Slack	< 4.5.2

References

https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29eccPatch, Third Party Advisory
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2Release Notes, Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248qExploit, Patch, Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6Exploit, Patch, Third Party Advisory
https://github.com/yhatt/jsx-slack/commit/46bc88391d89d5fda4ce689e18ca080bcdd29eccPatch, Third Party Advisory
https://github.com/yhatt/jsx-slack/releases/tag/v4.5.2Release Notes, Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-55xv-f85c-248qExploit, Patch, Third Party Advisory
https://github.com/yhatt/jsx-slack/security/advisories/GHSA-hp68-xhvj-x6j6Exploit, Patch, Third Party Advisory

Timeline

Published: Dec 20, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-43843?

How severe is CVE-2021-43843?

CVE-2021-43843 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.92% probability of exploitation in the next 30 days.

How do I fix CVE-2021-43843?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-43843?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST