Homepage
About Snyk

Regular Expression Denial of Service (ReDoS) Affecting postcss-inline-base64 package, versions <3.0.0

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID npm:postcss-inline-base64:20180216
  • published 18 Feb 2018
  • disclosed 16 Feb 2018
  • credit Jamie Davis
Report a new vulnerability Found a mistake?

Introduced: 16 Feb 2018

CVE NOT AVAILABLE CWE-185 Open this link in a new tab
CWE-400 Open this link in a new tab
First added by Snyk

How to fix?

Upgrade postcss-inline-base64 to version 3.0.0 or higher.

Overview

postcss-inline-base64 is a PostCSS plugin for encode the file to base64

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to using an inefficient pattern (^(https?:|ftp:)?\/\/([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$) in order to validate URLs. This can cause an impact of about 10 seconds matching time for data 46 characters long.

Disclosure Timeline

Feb 13th, 2018 - Initial Disclosure to package owner

Feb 14th, 2018 - Initial Response from package owner

Feb 16th, 2018 - Fix issued, not yet published to npm.

Feb 18th, 2018 - Vulnerability published

References

CVSS Scores

version 3.1
Expand this section

Snyk

7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High