CVE-2022-21222 css-what package is vulnerable to ReDoS due to the usage of insecure regular expression in re_attr of index.js
parse(regexp, string) - The parse function parses a string and returns an object with properties such as length and match. If a maliciously crafted regular expression was passed in the regexp parameter, it could crash the browser by passing a large amount of data to the parse function. This is due to the fact that the parse function accepts strings as an argument, not variables. An attacker could pass a large amount of data to the parse function, causing the browser to crash. To exploit this, an attacker could create a maliciously crafted regular expression that causes the parse function to crash the browser. This is due to the fact that the parse function accepts strings as an argument, not variables. An attacker could create a maliciously crafted regular expression that causes the parse function to crash the browser. The regular expression used by the package in the vulnerable version before 2.1.3 is: ^https?\:\/\/favicon\.png$\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\u003c{}\u003e\
Other versions and platforms
The same vulnerability appears in other versions and platforms of the package.
Timeline
Published on: 09/30/2022 05:15:00 UTC
Last modified on: 10/04/2022 18:25:00 UTC