Regular Expression Denial of Service in postcss

Severity:: Medium

Description

The package postcss versions before 7.0.36 or between 8.0.0 and 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern

Recommendation

Update the postcss package to the latest compatible version. Followings are version details:

Affected version(s): **< 7.0.36 >= 8.0.0, < 8.2.13**
Patched version(s): **7.0.36 8.2.13**

References

GHSA-566m-qj78-rww5
snyk.io
CVE-2021-23382
CWE-400
CAPEC-310
OWASP 2021-A6

Related Issues

Regular Expression Denial of Service in postcss - postcss - CVE-2021-23368
Regular Expression Denial of Service in jsoneditor - CVE-2021-3822
Regular Expression Denial of Service (ReDoS) - ssri - CVE-2021-27290
html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS) - CVE-2021-23346

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; postcss

Anything's wrong? Let us know Last updated on September 08, 2023