Regular Expression Denial of Service (ReDoS) Affecting postcss-inline-base64 package, versions <3.0.0



    Attack Complexity Low
    Availability High

    Threat Intelligence

    Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:postcss-inline-base64:20180216
  • published 18 Feb 2018
  • disclosed 16 Feb 2018
  • credit Jamie Davis

Introduced: 16 Feb 2018

CVE NOT AVAILABLE CWE-185 Open this link in a new tab
CWE-400 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade postcss-inline-base64 to version 3.0.0 or higher.


postcss-inline-base64 is a PostCSS plugin for encode the file to base64

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to using an inefficient pattern (^(https?:|ftp:)?\/\/([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$) in order to validate URLs. This can cause an impact of about 10 seconds matching time for data 46 characters long.

Disclosure Timeline

Feb 13th, 2018 - Initial Disclosure to package owner

Feb 14th, 2018 - Initial Response from package owner

Feb 16th, 2018 - Fix issued, not yet published to npm.

Feb 18th, 2018 - Vulnerability published