Описание
A regular expression denial of service flaw has been discovered in the prettier code formatter tool. This flaw allows and attacker who has access to input source files to induce a denial of service.
Отчет
Within regulated environments, a combination of the following controls acts as a significant barrier to successful exploitation of a CWE-1333: Inefficient Regular Expression Complexity or a CWE-400: Uncontrolled Resource Consumption, and therefore downgrades the severity of this particular CVE from Moderate to Low. Baseline configurations enforce secure coding practices that prohibit inefficient regular expressions known to cause excessive backtracking and CPU consumption. User input is validated and constrained prior to regex evaluation or resource-intensive operations, reducing the risk of resource exhaustion. Static code analysis and peer reviews ensure that input handling, error conditions, and resource-bound logic are implemented securely to prevent denial-of-service vulnerabilities. Real-time monitoring and centralized log analysis support early detection of CPU spikes, memory pressure, or latency anomalies indicative of regex inefficiencies or system disruption.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | io.cryostat-cryostat | Fix deferred | ||
| Migration Toolkit for Virtualization | migration-toolkit-virtualization/mtv-console-plugin-rhel9 | Fix deferred | ||
| Migration Toolkit for Virtualization | mtv-candidate/mtv-console-plugin-rhel9 | Fix deferred | ||
| Multicluster Global Hub | multicluster-globalhub/multicluster-globalhub-grafana-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-compat-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Fix deferred | ||
| OpenShift Lightspeed | openshift-lightspeed/lightspeed-console-plugin-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel8 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-console-plugin-rhel9 | Fix deferred | ||
| OpenShift Pipelines | openshift-pipelines/pipelines-hub-api-rhel8 | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
A vulnerability was found in prettier up to 3.6.2. It has been declared as problematic. Affected by this vulnerability is the function parseNestedCSS of the file src/language-css/parser-postcss.js. The manipulation of the argument node leads to inefficient regular expression complexity. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
5.3 Medium
CVSS3