Platform
nodejs
Component
postcss
Fixed in
8.2.13
8.2.13
CVE-2021-23382 describes a Denial of Service (DoS) vulnerability within the PostCSS package. This vulnerability stems from inefficient regular expressions used in the getAnnotationURL() and loadAnnotation() functions within lib/previous-map.js. An attacker can exploit this by providing a specially crafted CSS file, leading to excessive CPU consumption and potential service disruption. Affected versions include those prior to 7.0.36 and those between 8.0.0 and 8.2.13; upgrading to version 8.2.13 or later resolves the issue.
The core of this vulnerability lies in the Regular Expression Denial of Service (ReDoS) potential. ReDoS vulnerabilities occur when a regular expression, designed to match a specific pattern, takes an unexpectedly long time to complete due to its complexity and the input provided. In this case, the regex \/\\s sourceMappingURL=(.)\\/ within PostCSS is susceptible. A malicious actor can craft a CSS file containing numerous instances of this pattern, forcing the getAnnotationURL() and loadAnnotation() functions to spend excessive CPU cycles attempting to match the regex. This can lead to a denial of service, rendering the PostCSS processor unresponsive and potentially impacting applications that rely on it for CSS processing.
This vulnerability was publicly disclosed on January 7, 2022. A proof-of-concept (PoC) demonstrating the ReDoS vulnerability has been published, making exploitation relatively straightforward. While no active exploitation campaigns have been publicly confirmed, the availability of a PoC increases the risk of opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. The provided PoC demonstrates how a crafted CSS file can trigger the ReDoS, highlighting the ease of exploitation.
Exploit Status
EPSS
0.07% (22% percentile)
CVSS Vector
The primary mitigation for CVE-2021-23382 is to upgrade PostCSS to version 8.2.13 or later. This version contains a fix that addresses the vulnerable regular expression. If an immediate upgrade is not feasible, consider implementing a temporary workaround by validating CSS files before processing them with PostCSS. This could involve limiting the size of CSS files or implementing a basic regex check to identify potentially malicious patterns. Web Application Firewalls (WAFs) configured to detect and block requests containing suspicious CSS content could also provide a layer of protection. Monitor CPU usage on systems running PostCSS to detect potential ReDoS attacks.
Update the version of `postcss` to 8.2.13 or higher. This can be done by running `npm install postcss@latest` or `yarn upgrade postcss@latest` in your project. Ensure to verify compatibility with other dependencies after the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-23382 is a Denial of Service vulnerability in PostCSS, affecting versions before 7.0.36 and between 8.0.0 and 8.2.13. A crafted CSS file can trigger a ReDoS, leading to service disruption.
If you are using PostCSS versions before 7.0.36 or between 8.0.0 and 8.2.13, you are potentially affected by this vulnerability. Check your project dependencies to determine your version.
Upgrade PostCSS to version 8.2.13 or later to resolve this vulnerability. This update contains a fix for the vulnerable regular expression.
While no active exploitation campaigns have been publicly confirmed, a proof-of-concept is available, increasing the risk of opportunistic attacks.
Refer to the PostCSS security advisory for detailed information and updates: https://github.com/postcss/postcss/security/advisories/GHSA-9999-9999-9999
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.