CVE-2022-21222
Regular Expression Denial of Service (ReDoS) vulnerability in css-what (npm)
What is CVE-2022-21222 About?
The `css-what` package prior to 2.1.3 is vulnerable to Regular Expression Denial of Service (ReDoS) due to an insecure regular expression in the `re_attr` variable. An attacker can trigger this vulnerability by providing specially crafted input to the `parse` function, leading to excessive resource consumption and denial of service. Exploitation is relatively easy if an attacker can control the input to the parsing function.
Affected Software
Technical Details
The vulnerability in css-what versions before 2.1.3 is an instance of Regular Expression Denial of Service (ReDoS). It is specifically located within the re_attr regular expression in the index.js file. This regex is used during the parsing of CSS selectors. An attacker can provide a specially crafted CSS selector as input to the parse function. This input, due to the construction of the re_attr, causes catastrophic backtracking within the regular expression engine. This results in the regex engine taking an exponential amount of time to process the input, consuming excessive CPU resources, and effectively rendering the application or service using css-what unresponsive, thereby causing a denial of service.
What is the Impact of CVE-2022-21222?
Successful exploitation may allow attackers to cause a denial of service, leading to resource exhaustion, unresponsiveness, and unavailability of the affected application or service.
What is the Exploitability of CVE-2022-21222?
Exploitation of this ReDoS vulnerability is of low complexity. It primarily requires the attacker to be able to submit arbitrary, untrusted input that is processed as a CSS selector by the parse function of the css-what package. There are no specific authentication or privilege requirements; any user capable of supplying input to this function can trigger the vulnerability. It can be exploited remotely if the application processes external user-supplied data in this manner. The main constraint is the application's exposure of the parse function to untrusted input. The likelihood of exploitation is heightened when such input avenues are readily available.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-21222?
About the Fix from Resolved Security
This patch adjusts the regular expressions to include Unicode characters from U+00B0 to U+00BF, allowing the parser to properly handle certain special characters in CSS selectors. By expanding the character ranges in the name and attribute patterns, it prevents improper parsing that could have enabled crafted inputs to bypass sanitization, thus mitigating CVE-2022-21222.
Available Upgrade Options
- css-what
- <2.1.3 → Upgrade to 2.1.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html
- https://github.com/fb55/css-what/commit/dc510929790da6617e7aa93a616498b22f6a6b72
- https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12
- https://lists.debian.org/debian-lts-announce/2023/03/msg00001.html
- https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
- https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js#23L12
- https://github.com/fb55/css-what
- https://nvd.nist.gov/vuln/detail/CVE-2022-21222
- https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
- https://github.com/fb55/css-what/blob/a38effd5a8f5506d75c7f8f13cbd8c76248a3860/index.js%23L12
What are Similar Vulnerabilities to CVE-2022-21222?
Similar Vulnerabilities: CVE-2021-43307 , CVE-2019-10747 , CVE-2020-28283 , CVE-2018-3721 , CVE-2021-23377
