@adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Css-tools | Adobe | * | 4.3.2 (excluding) |
Migration Toolkit for Runtimes 1 on RHEL 8 | RedHat | mtr/mtr-operator-bundle:1.2-23 | * |
Migration Toolkit for Runtimes 1 on RHEL 8 | RedHat | mtr/mtr-rhel8-operator:1.2-15 | * |
Migration Toolkit for Runtimes 1 on RHEL 8 | RedHat | mtr/mtr-web-container-rhel8:1.2-16 | * |
Migration Toolkit for Runtimes 1 on RHEL 8 | RedHat | mtr/mtr-web-executor-container-rhel8:1.2-14 | * |
MTA-6.2-RHEL-9 | RedHat | mta/mta-windup-addon-rhel9:6.2.3-2 | * |
MTA-7.0-RHEL-9 | RedHat | mta/mta-cli-rhel9:7.0.3-16 | * |
MTA-7.0-RHEL-9 | RedHat | mta/mta-ui-rhel9:7.0.3-13 | * |
RHODF-4.15-RHEL-9 | RedHat | odf4/odf-console-rhel9:v4.15.0-57 | * |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.