CVE-2021-23368
Regular Expression Denial of Service (ReDoS) vulnerability in postcss
What is CVE-2021-23368 About?
This vulnerability affects the `postcss` npm package in versions 7.0.0 through 7.0.36 and 8.2.10, causing a Regular Expression Denial of Service (ReDoS) during source map parsing. A specially crafted input can consume excessive CPU resources, leading to a denial of service. Exploitation requires an attacker to provide malicious input that triggers the vulnerable regex.
Affected Software
- postcss
- >7.0.0, <7.0.36
- >8.0.0, <8.2.10
Technical Details
The `postcss` npm package, specifically versions from 7.0.0 up to and including 7.0.36, and version 8.2.10, is susceptible to a Regular Expression Denial of Service (ReDoS) during the parsing of source maps. This occurs when the package processes input containing specific patterns that can cause its regular expressions to enter a 'catastrophic backtracking' state. In this state, the processing time for the regex grows exponentially with the length of the input, leading to a significant and prolonged consumption of CPU resources. An attacker can craft a malicious source map or input containing these patterns, and when `postcss` attempts to parse it, the application becomes unresponsive, effectively causing a denial of service.
What is the Impact of CVE-2021-23368?
Successful exploitation may allow attackers to render the affected application or service unresponsive, consume excessive system resources, and prevent legitimate users from accessing the service.
What is the Exploitability of CVE-2021-23368?
Exploitation of this ReDoS vulnerability typically requires an attacker to be able to supply untrusted input to the application that utilizes the vulnerable `postcss` package for source map parsing. The complexity is moderate, as crafting the specific input patterns that trigger catastrophic backtracking in regular expressions can require some understanding of regex engine behavior. No authentication or elevated privileges are generally required, as the vulnerability can often be triggered through commonly accessible input fields or file uploads. Remote exploitation is possible if the application processes external user-provided data that includes source maps.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23368?
Available Upgrade Options
- postcss
- >7.0.0, <7.0.36 → Upgrade to 7.0.36
- postcss
- >8.0.0, <8.2.10 → Upgrade to 8.2.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2021-23368
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1244795
- https://github.com/postcss/postcss/commit/b6f3e4d5a8d7504d553267f80384373af3a3dec5
- https://lists.apache.org/thread.html/rad5af2044afb51668b1008b389ac815a28ecea9eb75ae2cab5a00ebb%40%3Ccommits.myfaces.apache.org%3E
- https://github.com/postcss/postcss/commit/8682b1e4e328432ba692bed52326e84439cec9e4
- https://lists.apache.org/thread.html/r16e295b4f02d81b79981237d602cb0b9e59709bafaa73ac98be7cef1%40%3Cdev.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013@%3Ccommits.myfaces.apache.org%3E
- https://lists.apache.org/thread.html/r5acd89f3827ad9a9cad6d24ed93e377f7114867cd98cfba616c6e013%40%3Ccommits.myfaces.apache.org%3E
- https://github.com/postcss/postcss/commit/54cbf3c4847eb0fb1501b9d2337465439e849734
- https://lists.apache.org/thread.html/r49afb49b38748897211b1f89c3a64dc27f9049474322b05715695aab@%3Cdev.myfaces.apache.org%3E
What are Similar Vulnerabilities to CVE-2021-23368?
Similar Vulnerabilities: CVE-2020-28168 , CVE-2019-10744 , CVE-2019-8331 , CVE-2018-16460 , CVE-2017-1000048
