Regular Expression Denial of Service (ReDoS) Affecting postcss-inline-base64 package, versions <3.0.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID npm:postcss-inline-base64:20180216
- published 18 Feb 2018
- disclosed 16 Feb 2018
- credit Jamie Davis
Introduced: 16 Feb 2018
CVE NOT AVAILABLE CWE-185 Open this link in a new tabHow to fix?
Upgrade postcss-inline-base64
to version 3.0.0 or higher.
Overview
postcss-inline-base64 is a PostCSS plugin for encode the file to base64
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to using an inefficient pattern (^(https?:|ftp:)?\/\/([\da-z\.-]+)\.([a-z\.]{2,6})([\/\w \.-]*)*\/?$
) in order to validate URLs. This can cause an impact of about 10 seconds matching time for data 46 characters long.
Disclosure Timeline
Feb 13th, 2018 - Initial Disclosure to package owner
Feb 14th, 2018 - Initial Response from package owner
Feb 16th, 2018 - Fix issued, not yet published to npm.
Feb 18th, 2018 - Vulnerability published