Miggo Logo
Miggo Vulnerability Database
CVE-2022-24373

CVE-2022-24373: react-native-reanimated vulnerable to ReDoS

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-24373
GHSA ID
GHSA-2j79-8pqc-r7x6
EPSS Score
0.21578%
CWE
CWE-1333
Published
10/1/2022
Updated
8/17/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
react-native-reanimatednpm< 2.10.02.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from the regex pattern defined in the NUMBER constant within Colors.ts, as shown in the commit diff. This regex was used for validating numeric components in color values (like RGB/A, HSL/A). The original pattern contained ambiguous quantifiers (\d* and .?) that permitted multiple evaluation paths, enabling ReDoS attacks when matching attacker-controlled strings. The patched commit specifically addresses this by restructuring the regex to eliminate ambiguous paths while maintaining functionality.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** p**k*** r***t-n*tiv*-r**nim*t** ***or* *.**.* is vuln*r**l* to R**ul*r *xpr*ssion **ni*l o* S*rvi** (R**oS) *u* to improp*r us*** o* r**ul*r *xpr*ssion in t** p*rs*r o* *olors.js.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom t** r***x p*tt*rn ***in** in t** NUM**R *onst*nt wit*in `*olors.ts`, *s s*own in t** *ommit *i**. T*is r***x w*s us** *or v*li**tin* num*ri* *ompon*nts in *olor v*lu*s (lik* R**/*, *SL/*). T** ori*in*l p*tt*rn *o