<p>Upgrade <code>postcss-inline-base64</code> to version 3.0.0 or higher.</p>

Regular Expression Denial of Service (ReDoS) Affecting postcss-inline-base64 package, versions <3.0.0

Snyk CVSS

Attack Complexity Low

Availability High

Threat Intelligence

Exploit Maturity Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID npm:postcss-inline-base64:20180216
published 18 Feb 2018
disclosed 16 Feb 2018
credit Jamie Davis

Report a new vulnerability Found a mistake?

Introduced: 16 Feb 2018

CWE-185 Open this link in a new tab CWE-400 Open this link in a new tab First added by Snyk

How to fix?

Upgrade postcss-inline-base64 to version 3.0.0 or higher.

Overview

postcss-inline-base64 is a PostCSS plugin for encode the file to base64

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to using an inefficient pattern (^(https?:|ftp:)?\/\/([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$) in order to validate URLs. This can cause an impact of about 10 seconds matching time for data 46 characters long.

Disclosure Timeline

Feb 13th, 2018 - Initial Disclosure to package owner

Feb 14th, 2018 - Initial Response from package owner

Feb 16th, 2018 - Fix issued, not yet published to npm.

Feb 18th, 2018 - Vulnerability published

References

GitHub Commit