Описание
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| node-css-what | fixed | 5.0.1-1 | package | |
| node-css-what | fixed | 4.0.0-3+deb11u1 | bullseye | package |
Примечания
https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
ReDoS issue fixed with rewrite of module to TypeScript
Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84
Fixed by https://github.com/fb55/css-what/pull/503/commits/46b0dbd6f38fb375da02208426f93f87f7169b7e
Связанные уязвимости
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
The package css-what before 2.1.3 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expression in the re_attr variable of index.js. The exploitation of this vulnerability could be triggered via the parse function.
css-what vulnerable to ReDoS due to use of insecure regular expression