A specially crafted image could potentially trigger an infinite loop in the parsing process of Colors.js, which eventually leads to a denial of service.
Affected packages:
– react-native-reanimated before 3.0.0-rc.1
– react-native before version 0.44.1
– react-native-elements before version 0.10.5
– react-native-vector-icons before version 1.0.0
– react-native-vector-icons-svg before version 1.0.0
– react-native-vector-icons-png before version 1.0.0
– react-native-vector-icons-svg-png before version 1.0.0
– react-native-vector-icons-eot before version 1.0.0
– react-native-vector-icons-ttf before version 1.0.0
– react-native-vector-icons-woff before version 1.0.0
– react-native-vector-icons-woff-svg before version 1.0.0
– react-native-vector- icons-woff- eot before version 1.0.0
– react-native-vector-icons-ttf before version 1.0.0
– react-native-vector-icons-sv
Background information
The react-native library was already updated and patched before the new discovery.
CVE identifier: CVE-2022-24373
CVSSv3 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Timeline
Published on: 09/30/2022 05:15:00 UTC
Last modified on: 10/04/2022 18:26:00 UTC
References
- https://security.snyk.io/vuln/SNYK-JS-REACTNATIVEREANIMATED-2949507
- https://github.com/software-mansion/react-native-reanimated/releases/tag/3.0.0-rc.1
- https://github.com/software-mansion/react-native-reanimated/pull/3382/commits/7adf06d0c59382d884a04be86a96eede3d0432fa
- https://github.com/software-mansion/react-native-reanimated/pull/3382
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24373