CVE-2022-24373 Reanimated 3.0.0-rc.1 package is vulnerable to Regular Expression Denial of Service due to Colors.js improper usage of regular expression.

A specially crafted image could potentially trigger an infinite loop in the parsing process of Colors.js, which eventually leads to a denial of service.

Affected packages:

– react-native-reanimated before 3.0.0-rc.1

– react-native before version 0.44.1

– react-native-elements before version 0.10.5

– react-native-vector-icons before version 1.0.0

– react-native-vector-icons-svg before version 1.0.0

– react-native-vector-icons-png before version 1.0.0

– react-native-vector-icons-svg-png before version 1.0.0

– react-native-vector-icons-eot before version 1.0.0

– react-native-vector-icons-ttf before version 1.0.0

– react-native-vector-icons-woff before version 1.0.0

– react-native-vector-icons-woff-svg before version 1.0.0

– react-native-vector- icons-woff- eot before version 1.0.0

– react-native-vector-icons-ttf before version 1.0.0

– react-native-vector-icons-sv

Background information

The react-native library was already updated and patched before the new discovery.

CVE identifier: CVE-2022-24373
CVSSv3 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Timeline

Published on: 09/30/2022 05:15:00 UTC
Last modified on: 10/04/2022 18:26:00 UTC

References

• https://security.snyk.io/vuln/SNYK-JS-REACTNATIVEREANIMATED-2949507
• https://github.com/software-mansion/react-native-reanimated/releases/tag/3.0.0-rc.1
• https://github.com/software-mansion/react-native-reanimated/pull/3382/commits/7adf06d0c59382d884a04be86a96eede3d0432fa
• https://github.com/software-mansion/react-native-reanimated/pull/3382
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24373