Platform
nodejs
Component
postcss
Opgelost in
8.2.13
8.2.13
CVE-2021-23382 describes a Denial of Service (DoS) vulnerability within the PostCSS package. This vulnerability stems from inefficient regular expressions used in the getAnnotationURL() and loadAnnotation() functions within lib/previous-map.js. An attacker can exploit this by providing a specially crafted CSS file, leading to excessive CPU consumption and potential service disruption. Affected versions include those prior to 7.0.36 and those between 8.0.0 and 8.2.13; upgrading to version 8.2.13 or later resolves the issue.
The core of this vulnerability lies in the Regular Expression Denial of Service (ReDoS) potential. ReDoS vulnerabilities occur when a regular expression, designed to match a specific pattern, takes an unexpectedly long time to complete due to its complexity and the input provided. In this case, the regex \/\\s sourceMappingURL=(.)\\/ within PostCSS is susceptible. A malicious actor can craft a CSS file containing numerous instances of this pattern, forcing the getAnnotationURL() and loadAnnotation() functions to spend excessive CPU cycles attempting to match the regex. This can lead to a denial of service, rendering the PostCSS processor unresponsive and potentially impacting applications that rely on it for CSS processing.
This vulnerability was publicly disclosed on January 7, 2022. A proof-of-concept (PoC) demonstrating the ReDoS vulnerability has been published, making exploitation relatively straightforward. While no active exploitation campaigns have been publicly confirmed, the availability of a PoC increases the risk of opportunistic attacks. The vulnerability is not currently listed on the CISA KEV catalog. The provided PoC demonstrates how a crafted CSS file can trigger the ReDoS, highlighting the ease of exploitation.
Projects and applications that rely on PostCSS for CSS processing, particularly those using versions prior to 8.2.13, are at risk. This includes web development teams, build systems utilizing PostCSS, and any application that dynamically processes CSS files. Shared hosting environments where multiple users share the same PostCSS instance are also at increased risk, as a malicious user could potentially impact other users on the same server.
• nodejs / server:
ps aux | grep postcss | grep -v grep | awk '{print $2}' | xargs -n 1 ps -o %cpu,pid -p• nodejs / server:
journalctl -u node -f | grep -i "regex" # Look for regex-related errors• generic web: Inspect access logs for unusually large POST requests containing CSS content. Look for patterns resembling the vulnerable regex in the CSS payload.
discovery
disclosure
poc
patch
Exploit Status
EPSS
0.07% (22% percentiel)
CVSS-vector
The primary mitigation for CVE-2021-23382 is to upgrade PostCSS to version 8.2.13 or later. This version contains a fix that addresses the vulnerable regular expression. If an immediate upgrade is not feasible, consider implementing a temporary workaround by validating CSS files before processing them with PostCSS. This could involve limiting the size of CSS files or implementing a basic regex check to identify potentially malicious patterns. Web Application Firewalls (WAFs) configured to detect and block requests containing suspicious CSS content could also provide a layer of protection. Monitor CPU usage on systems running PostCSS to detect potential ReDoS attacks.
Actualice la versión de `postcss` a la 8.2.13 o superior. Esto puede hacerse ejecutando `npm install postcss@latest` o `yarn upgrade postcss@latest` en su proyecto. Asegúrese de verificar la compatibilidad con otras dependencias después de la actualización.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2021-23382 is a Denial of Service vulnerability in PostCSS, affecting versions before 7.0.36 and between 8.0.0 and 8.2.13. A crafted CSS file can trigger a ReDoS, leading to service disruption.
If you are using PostCSS versions before 7.0.36 or between 8.0.0 and 8.2.13, you are potentially affected by this vulnerability. Check your project dependencies to determine your version.
Upgrade PostCSS to version 8.2.13 or later to resolve this vulnerability. This update contains a fix for the vulnerable regular expression.
While no active exploitation campaigns have been publicly confirmed, a proof-of-concept is available, increasing the risk of opportunistic attacks.
Refer to the PostCSS security advisory for detailed information and updates: https://github.com/postcss/postcss/security/advisories/GHSA-9999-9999-9999
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.