CVE-2022-25758
Regular Expression Denial of Service (ReDoS) vulnerability in scss-tokenizer (npm)
What is CVE-2022-25758 About?
All versions of the `scss-tokenizer` package prior to 0.4.3 are vulnerable to Regular Expression Denial of Service (ReDoS). This is caused by an insecure regular expression used in the `loadAnnotation()` function. Attackers can exploit this by providing specially crafted input, leading to excessive CPU consumption and application unresponsiveness.
Affected Software
Technical Details
The scss-tokenizer package, in all versions before 0.4.3, is affected by a Regular Expression Denial of Service (ReDoS) vulnerability. This flaw resides within the loadAnnotation() function, which uses an insecurely constructed regular expression. When a specially crafted input string containing a pathological sequence is fed to this function, the regular expression engine enters a state of catastrophic backtracking. This results in an exponential increase in processing time relative to the input length, consuming excessive CPU resources and causing the application to become unresponsive, thereby leading to a denial of service.
What is the Impact of CVE-2022-25758?
Successful exploitation may allow attackers to cause applications using the affected package to consume excessive computational resources, leading to a denial of service.
What is the Exploitability of CVE-2022-25758?
Exploitation complexity is low, as it primarily involves providing a malicious input string that triggers the ReDoS vulnerability in the loadAnnotation() function. No authentication or elevated privileges are required. The vulnerability is often remote if the application processes untrusted user-supplied SCSS or CSS-like input that is then tokenized by scss-tokenizer. The key prerequisite is that the application uses a vulnerable version of scss-tokenizer and processes attacker-controlled input. Risk factors increase for applications that process user-generated stylesheets or other text inputs involving annotations without proper validation before passing them to the tokenizer.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-25758?
About the Fix from Resolved Security
This patch updates the regular expression used to extract the sourceMappingURL annotation, preventing nested or multiple sourceMappingURL directives from being greedily matched. By ensuring only the first valid URL is extracted, it mitigates the risk described in CVE-2022-25758, where attackers could craft malicious CSS to trick the parser and potentially execute unintended behavior or perform SSRF and local file disclosure.
Available Upgrade Options
- scss-tokenizer
- <0.4.3 → Upgrade to 0.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://osv.dev/vulnerability/GHSA-7mwh-4pqv-wmr8
- https://github.com/sasstools/scss-tokenizer/issues/45
- https://snyk.io/vuln/SNYK-JS-SCSSTOKENIZER-2339884
- https://github.com/sasstools/scss-tokenizer/commit/a53b6f233e648cc01acbdd89c58786cf8ba56e35
- https://github.com/sasstools/scss-tokenizer
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2936782
- https://github.com/sasstools/scss-tokenizer/issues/45
- https://nvd.nist.gov/vuln/detail/CVE-2022-25758
What are Similar Vulnerabilities to CVE-2022-25758?
Similar Vulnerabilities: CVE-2021-23377 , CVE-2020-28267 , CVE-2019-10741 , CVE-2018-16471 , CVE-2017-16016
