CVE-2023-26364
Improper Input Validation vulnerability in css-tools (npm)
What is CVE-2023-26364 About?
This is an Improper Input Validation vulnerability in @adobe/css-tools versions 4.3.0 and earlier, which can lead to a denial of service. When parsing specially crafted CSS input, the vulnerability causes the software to become unresponsive. Exploitation is relatively straightforward for an attacker who can supply malformed CSS.
Affected Software
Technical Details
The vulnerability in @adobe/css-tools (version 4.3.0 and earlier) stems from improper input validation during CSS parsing. An attacker can provide a malformed or overly complex CSS string to the library. Without sufficient validation or sanitization, the parsing engine attempts to process this invalid input, potentially entering an infinite loop, performing excessive computations, or consuming all available memory. This resource exhaustion makes the process unresponsive, leading to a denial of service for any application relying on the library for CSS processing. The attack vector is the input of the CSS parser function.
What is the Impact of CVE-2023-26364?
Successful exploitation may allow attackers to trigger a denial of service by providing specially crafted, malformed CSS input, causing the application to become unresponsive.
What is the Exploitability of CVE-2023-26364?
Exploiting this vulnerability involves providing a specially crafted, malformed CSS input to the @adobe/css-tools parser. The complexity is low to moderate, as it requires knowledge of CSS parsing behavior and potential edge cases. Authentication is not typically required if the application exposes an endpoint that processes user-supplied CSS, such as a theme editor or content management system. Privilege requirements are none. This is likely a remote vulnerability if the CSS input can be provided over a network, otherwise it could be local. There are no known special conditions, though the effectiveness of the DoS depends on the processing environment. Risk factors include applications that dynamically process user-generated or external CSS without robust input validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-26364?
About the Fix from Resolved Security
Available Upgrade Options
- @adobe/css-tools
- <4.3.1 → Upgrade to 4.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg
- https://github.com/adobe/css-tools/commit/2b09a25d1dbdbb16fe80065e4c9beb5623ee5793
- https://github.com/adobe/css-tools
- https://nvd.nist.gov/vuln/detail/CVE-2023-26364
- https://github.com/adobe/css-tools/security/advisories/GHSA-hpx4-r86g-5jrg
- https://osv.dev/vulnerability/GHSA-hpx4-r86g-5jrg
What are Similar Vulnerabilities to CVE-2023-26364?
Similar Vulnerabilities: CVE-2021-23366 , CVE-2020-7661 , CVE-2020-15250 , CVE-2020-13692 , CVE-2021-23381
