CVE-2023-48631
Improper Input Validation vulnerability in css-tools (npm)
What is CVE-2023-48631 About?
This vulnerability is an Improper Input Validation issue in @adobe/css-tools that can lead to a denial of service. When parsing specially crafted CSS, the application can become unavailable, making it relatively easy to exploit with malformed input.
Affected Software
Technical Details
The @adobe/css-tools package, versions 4.3.1 and earlier, suffers from improper input validation when processing CSS. Attackers can craft malicious CSS input that, when parsed by the affected component, triggers an error condition or an infinite loop, consuming excessive system resources. This resource exhaustion ultimately results in a denial of service, preventing legitimate users from accessing the application.
What is the Impact of CVE-2023-48631?
Successful exploitation may allow attackers to cause a denial of service, rendering the affected application or service unavailable to legitimate users.
What is the Exploitability of CVE-2023-48631?
Exploitation typically involves sending a specially crafted input to the application. The complexity is low as it primarily relies on providing malformed data that the application fails to handle correctly. No authentication or elevated privileges are required for exploitation. The attack is remote, as it only requires sending malicious CSS code. The primary risk factor is the application's direct exposure to untrusted CSS input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-48631?
About the Fix from Resolved Security
Available Upgrade Options
- @adobe/css-tools
- <4.3.2 → Upgrade to 4.3.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/adobe/css-tools
- https://nvd.nist.gov/vuln/detail/CVE-2023-48631
- https://github.com/adobe/css-tools/pull/249
- https://github.com/adobe/css-tools/issues/211
- https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2
- https://osv.dev/vulnerability/GHSA-prr3-c3m5-p7q2
- https://github.com/adobe/css-tools/commit/472bef91bde9caab305f3f36231ad0c253581b43
- https://github.com/adobe/css-tools/security/advisories/GHSA-prr3-c3m5-p7q2
What are Similar Vulnerabilities to CVE-2023-48631?
Similar Vulnerabilities: CVE-2023-45136 , CVE-2023-45137 , CVE-2023-49097 , CVE-2023-45803
