CVE-2021-23382
Regular Expression Denial of Service (ReDoS) vulnerability in postcss
What is CVE-2021-23382 About?
The `postcss` package (versions before 7.0.36 or between 8.0.0 and 8.2.13) is vulnerable to a Regular Expression Denial of Service (ReDoS). This allows an attacker to provide a specially crafted string that consumes excessive processing time, causing the application to become unresponsive. Exploitation is achieved by targeting specific vulnerable regex sub-patterns in `lib/previous-map.js`.
Affected Software
- postcss
- >8.0.0, <8.2.13
- <7.0.36
Technical Details
This Regular Expression Denial of Service (ReDoS) vulnerability in `postcss` exists in versions prior to 7.0.36 and between 8.0.0 and 8.2.13. The vulnerability stems from inefficient regular expressions utilized within the `getAnnotationURL()` and `loadAnnotation()` functions in `lib/previous-map.js`. Specifically, the sub-pattern `\/\*\s* sourceMappingURL=(.*)` is identified as problematic. An attacker can craft a malicious input string (e.g., repeatedly appending `/*# sourceMappingURL=` portions) that, when processed by this regex, causes it to exhibit catastrophic backtracking. This leads to an exponential increase in processing time relative to the input length, consuming excessive CPU resources and resulting in a Denial of Service.
What is the Impact of CVE-2021-23382?
Successful exploitation may allow attackers to cause the application to become unresponsive or crash due to excessive resource consumption. This can lead to a denial of service, making the application unavailable to legitimate users.
What is the Exploitability of CVE-2021-23382?
Exploitation of this Regular Expression Denial of Service (ReDoS) vulnerability is of moderate complexity. An attacker needs to craft a specific input string that triggers catastrophic backtracking in the vulnerable regular expression. No authentication or privileged access is required, making it potentially exploitable by remote, unauthenticated attackers if they can provide input to a code path that uses the affected `postcss` functions. The attack is remote given `postcss`'s typical use in processing web-related content. The primary risk factor is applications that process untrusted or user-supplied CSS/JavaScript comments or similar content using vulnerable versions of `postcss`, as these inputs can be specifically designed to trigger the ReDoS.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-23382?
About the Fix from Resolved Security
The patch strengthens the regular expression used to extract sourceMappingURL annotations, ensuring it does not accidentally match nested or multiple sourceMappingURL assignments within a single comment. This prevents a potential Regular Expression Denial of Service (ReDoS) vulnerability (CVE-2021-23382) by making the regex more precise and efficient, avoiding catastrophic backtracking with crafted malicious input.
Available Upgrade Options
- postcss
- <7.0.36 → Upgrade to 7.0.36
- postcss
- >8.0.0, <8.2.13 → Upgrade to 8.2.13
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
- https://osv.dev/vulnerability/GHSA-566m-qj78-rww5
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1255641
- https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
- https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
- https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
- https://github.com/postcss/postcss/releases/tag/7.0.36
- https://nvd.nist.gov/vuln/detail/CVE-2021-23382
What are Similar Vulnerabilities to CVE-2021-23382?
Similar Vulnerabilities: CVE-2021-23424 , CVE-2020-7609 , CVE-2020-7760 , CVE-2020-28498 , CVE-2019-1000007
