First published: Mon Apr 26 2021(Updated: )
A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss` when using getAnnotationURL() or loadAnnotation() options in lib/previous-map.js. An attacker can use this vulnerability to potentially craft a malicious CSS to process resulting in a denial of service.
Credit: report@snyk.io report@snyk.io report@snyk.io
Affected Software | Affected Version | How to fix |
---|---|---|
Postcss Postcss | <7.0.36 | |
Postcss Postcss | >=8.0.0<8.2.13 | |
npm/postcss | <7.0.36 | 7.0.36 |
npm/postcss | >=8.0.0<8.2.13 | 8.2.13 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-23382 refers to a vulnerability in the package postcss before version 8.2.13 that allows Regular Expression Denial of Service (ReDoS) attacks via getAnnotationURL() and loadAnnotation() in lib/previous-map.js.
CVE-2021-23382 affects postcss versions before 7.0.36 or between 8.0.0 and 8.2.13.
CVE-2021-23382 has a severity level of 7.5 (high).
To fix CVE-2021-23382, update postcss package to version 7.0.36 or higher, or between 8.2.13 and the latest version.
You can find more information about CVE-2021-23382 at the following references: - https://www.cve.org/CVERecord?id=CVE-2021-23382 - https://nvd.nist.gov/vuln/detail/CVE-2021-23382 - https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640 - https://bugzilla.redhat.com/show_bug.cgi?id=1954150 - https://access.redhat.com/errata/RHSA-2021:3016