CVE-2021-33587
Denial of Service (DoS) vulnerability in css-what (npm)
What is CVE-2021-33587 About?
The css-what package versions 4.0.0 through 5.0.0 for Node.js are vulnerable to a Denial of Service (DoS) attack. It fails to ensure linear time complexity for attribute parsing, allowing specially crafted input to cause excessive resource consumption. This can be easily exploited by providing complex CSS selectors.
Affected Software
Technical Details
The css-what package versions 4.0.0 through 5.0.0 for Node.js suffers from a Denial of Service (DoS) vulnerability due to a lack of proper regulation for attribute parsing time complexity. Specifically, the parsing algorithm does not maintain linear time complexity relative to the size of the input. An attacker can craft a complex CSS selector with nested or highly repetitive attribute patterns. When the vulnerable package attempts to parse this input, the non-linear complexity leads to an exponential increase in processing time and resource consumption. This can cause the application or server to become unresponsive or crash, resulting in a denial of legitimate service.
What is the Impact of CVE-2021-33587?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or system unresponsive and disrupting its availability.
What is the Exploitability of CVE-2021-33587?
Exploitation involves providing a specially crafted, complex CSS selector string to an application using the vulnerable css-what package. The complexity of crafting such input is low to medium. There are typically no authentication or privilege requirements, as the attack is often conducted by providing input through user-facing interfaces that process CSS selectors. This is a remote vulnerability if the application accepts external, untrusted CSS selector input. The main constraint is the application's direct or indirect use of the vulnerable parsing functionality. Risk factors increase if user input is directly fed into CSS parsing functions without prior sanitization or length limits.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-33587?
About the Fix from Resolved Security
Available Upgrade Options
- css-what
- >4.0.0, <5.0.1 → Upgrade to 5.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fb55/css-what/releases/tag/v5.0.1
- https://github.com/fb55/css-what/releases/tag/v5.0.1
- https://osv.dev/vulnerability/GHSA-q8pj-2vqx-8ggc
- https://nvd.nist.gov/vuln/detail/CVE-2021-33587
- https://github.com/fb55/css-what
- https://security.netapp.com/advisory/ntap-20210706-0007
- https://github.com/fb55/css-what/commit/4cdaacfd0d4b6fd00614be030da0dea6c2994655
- https://security.netapp.com/advisory/ntap-20210706-0007/
- https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html
- https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html
What are Similar Vulnerabilities to CVE-2021-33587?
Similar Vulnerabilities: CVE-2021-23362 , CVE-2023-38545 , CVE-2023-45803 , CVE-2023-34062 , CVE-2022-24756
